I've tried to set up a SAMBA file server that acts completely identical with a Microsoft Windows 2000 or 2003 one. First of all, the problem with the ACI ordering is simple: The Microsoft ACI specification imposes that the DENY ACIs are put on top. It can be solved with a simple chmod. Problem no.2 the Samba NFSv4 ACL module doesn't interpret owner@, group@, [EMAIL PROTECTED] While the first ones are not surprising, because they have no direct mapping in the Windows well known SIDs list , everyone@ is a very well known Windows SID. These problems can be easily solved by initially setting the ACLs manually using chmod. Problem no.3, there is no umask(1) support for NFSv4 ACI model, thus creating a new file from the UNIX shell or a UNIX program (say FTP) on that ZFS share, will completely mess-up your ACLs from a Windows perspective. Furthermore, I expected that once I set some ACIs, with the inheritance flags on, I would get those ACIs, period. While I do get inheritance of the ACIs, I also get some default ACIs added that kinda represent the traditional UNIX rights (which is very far from what I'm looking for), furthermore, I also expect to be able to ignore the UNIX rights, as mixing the two of them is both confusing and difficult. I think that mixing the two models (the NFSv4 and the Windows one) is improbable and it really does require that you make a choice to favor the Windows model or the NFSv4. Right now I've concluded that the SAMBA NFSv4 ACL support is completely useless, as it allows me to view ACLs set using chmod on an existing file, or change them to other _VALID_ Windows ACLs. Unfortunatelly, as soon as I try to create a new file or directory all of the benefits go to /dev/null, as I get a new file with default ACLs that have nothing to do with the inherited flags I've set, and that are completely invalid on a Windows system. I am sure that we need to have a new zfs attribute that changes the behaviour of the relation between the UNIX attributes and the NFSv4 ACIs (eventually completely ignoring the UNIX ones), as well as specifying that the inherited ACIs are the only-ones that will be applied to a newly created file or directory. We also need to have the samba config file support new file and directory creation masks that are a little more complex than 3 numbers (or to take the inheritance flags more seriously into consideration). We also need to add support to the nfs4acl module for interpreting owner@, group@ and [EMAIL PROTECTED]
The ACIs that I needed and that miserably failed me are rather simple (except for a few folders in which I had more complex ones): Domain Admins:rwxdDpaARWc--s:fd---:allow Domain Users:rwxdDpaARWc--s:fd---:allow Administrator:rwxdDpaARWcCos:fd---:allow As you can probably see, I didn't even need deny ACLs. Obviously, I've initially set the ACLs with: chmod -r A=group:Domain\ Admins:rwxdDpaARWc--s:fd---:allow, group:Domain\ Users:rwxdDpaARWc--s:fd---:allow, user:Administrator:rwxdDpaARWcCos:fd---:allow (or something like that), and it worked until I started creating files and folders. I started this thread in the hope that we can make sure that in the future Samba will be able to perfectly emulate a Windows File Server in coordination with ZFS, especially considering Sun's offering in the storage area. I can also come up with technical details about the differences in behavior between a Windows Server and a Samba server on the problematic operations. Cheers, Razvan This message posted from opensolaris.org _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
