Not until the source3 fileserver is merged with source4 I'm
afraid. All the cleverness in mapping to POSIX ACLs is in the
source3 smbd only right now.

Jeremy.

So, what can I do? I need to use ACLs in Windows and the same on liunux
server. I use ext4 fs on the linux server, but ext4 only support POSIX ACLs.
What should I do? Can I change the filesystem (e.g. ZFS) so that I can
use the NT ACLs in linux or should I try s3compat? I also have to use
the NT ACLs via NFS. Any idea?

Andre

With OpenSolaris and ZFS you have a chance to get closer to
what you want, using the NFSv4 ACL model. But right now what
you want (100% NTFS ACLs usable from Windows, local Unix
processes and NFS) is just not possible. Even large NAS
servers like the ones from NetApp and EMC don't give you
that. This is just not solvable 100%, because Windows, Posix
and NFSv4 have different ACL semantics.

With NFSv4 ACLs available in OpenSolaris and ZFS you get
very close, and we will be happy to help you utilizing
those.

Volker

Ok. And what about using the NT ACLs via NFS on a linux client which can
authentificate against samba4 ad? (and what about CIFS? but it is too slow)

Andre

Sorry, but I can't really speak authoritatively on the state
of NFSv4 in Linux. I would expect OpenSolaris to export
NFSv4 ACLs fine via the protocol (haven't checked though).
Whether you can make use of those via the Linux NFS client
-- no idea.

Regarding cifsfs being too slow, you should really contact
Steve French and Jeff Layton about what workload is too
slow. In the implementation, there's well-known vast room of
improvement that is fiddly to implement. Maybe you can be of
help there?

Volker

Separate out the S4 AD service and add a S3 member server.
Use the acl_xattr module on S3 to store Windows ACLs perfectly,
whilst still having them mapped underneath to POSIX ACLs.

Just don't try and do file service and domain service off
the same server right now.
That's not going to help. You can't use the NT ACLs via NFS either.

Jeremy.

I don't know what you mean here. Samba4 AD is not an NFS server.

See

http://acl.bestbits.at/richacl/

which is an attempt to add NT-like ACL support to ext4. It hasn't been
accepted into the Linux kernel yet.

Currently the Linux NFSv4 server attempts to map between posix and NFSv4
ACLs using the algorithm described in sections 6.2 and 7.2 of

http://www.citi.umich.edu/projects/nfsv4/rfc/draft-ietf-nfsv4-acl-mapping-05.txt

while the NFSv2/v3 code uses a sideband protocol to manage posix ACLs.

--b.

Yes, I'm planning to support richacls but I don't see a finalized
userspace API for me to use yet.

Jeremy.

Hi Jeremy,

On Mon, 25 Oct 2010 11:43:37 -0700
A WIP richacl Samba 3 VFS module is available at
git://oss.sgi.com/v4acls-experimental/samba.git
branch: 36t-richacl

It's currently a little rough around the edges:
- it should also handle nt dacls passed in on create, not just get/set
acl
- CREATOR_OWNER and CREATOR_GROUP aces are not supported
- automatic inheritance flags SEC_DESC_DACL_AUTO_INHERITED and
ACL4_AUTO_INHERIT are mapped to each other, however these flags offer
differing semantics on Windows and Linux (richacls).

Hopefully look at getting it upstream when the above issues are
resolved and it's had some thorough testing.

Anyhow, feel free to poke around. Suggestions, feedback and
ridicule welcome.

Cheers, David

Quick question:

richacl_for_each_entry(richace, richacl) {

Where do I find the definition of that macro?

Volker

On Tue, 26 Oct 2010 11:49:18 +0200
richacl user space libraries are in the master branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/agruen/richacl.git

Cheers, David