On Thu, Oct 27, 2011 at 03:21:51PM -0400, Paul.Nickerson@xxxxxxxxxxxxxx wrote: > > I have an NFS4 server exporting a folder, and a Samba server importing that > folder which it then turns around and shares over Samba. I would like > Windows machines accessing this folder and its sub folders to be properly > restricted according to ACLs. > > The NFS4 server is running CentOS 5.7 and is NFS exporting an EXT4 folder. > The Samba server is running CentOS 6.0, and Samba 3.5.4-68.el6_0.2. On the > Samba server, I am able to use chmod, chown, nfs4_setfacl, ls, and > nfs4_getfacl to set and retrieve file and folder permissions and ACLs in > the NFS4 mounted folder, and it all seems to be working sanely. I have both > servers using winbind. On a Windows 7 machine, I am able to browse to > \\test-samba-server, and see all the Samba shared folders that I've set up > in smb.conf. > > Those folders files where I have restricted or allowed read, write, and > execute permissions for the domain user logged onto the Windows 7 machine, > using the standard POSIX method, work as expected. Thus, I think winbind is > working correctly right now. However, if I try to allow access through > nfs4_setfacl (and keep the file or folder restricted through the file > permissions), the user on the Windows 7 machine is always denied access. > > I am seeing this in /var/log/messages when I turn on lots of logging: > Oct 26 16:01:39 test-samba-server smbd[14979]: [2011/10/26 16:01:39.737663, > 1] smbd/dosmode.c:255(get_ea_dos_attribute) > Oct 26 16:01:39 test-samba-server smbd[14979]: get_ea_dos_attributes: > Cannot get attribute from EA on file .: Error = Operation not supported This error isn't an ACL error, it's Samba trying to store the extra Windows attributes into a Linux EA. If NFS doesn't support this, you'll need to stop Samba from trying to do this by doing: store dos attributes = no ea support = no Unfortunately that means that Samba will have to fall back to trying to store the (neccessary) extra metadata info in the normal POSIX permissions, which will mess up the NFS ACLs. It's probably better to move the Samba server onto the same machine that's exporting NFSv4 and ensure POSIX ACL and EA support are enabled on that EXT4 disk. Then Samba can export Windows ACLs correctly if you set: store dos attributes = yes ea support = yes vfs objects = acl_xattr in the share definition. That causes Samba to store Windows EAs (not strictly needed), Windows metadata and Windows ACLs into EXT4 EA's. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba