Mapping POSIX ACLs to NFSv4 ACLs for Samba storage

Hi all,

I propose to talk about an issue. I have a task of moving data from UFS+ACLs storage to a ZFS pool. Dump/restrore is the best way. But only owner/owner_group is saved. I've written a Perl script to translate POSIX ACLs to NFSv4 ACLs. I referred to the last draft of it (http://tools.ietf.org/html/draft-ietf-nfsv4-acl-mapping-05) to emulate POSIX behaviour of permissions. I got something like that, for instance:

Source directory on UFS:
Code:
> getfacl  /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
# file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
# owner: 10051
# group: 513
user::rwx
user:10015:r-x
user:10049:r-x
user:10072:rwx
group::---
group:544:rwx
group:10008:rwx
group:10131:r-x
mask::rwx
other::---

> getfacl  -d /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
# file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/
# owner: 10051
# group: 513
user::rwx
user:10015:r-x
user:10049:r-x
user:10072:rwx
group::---
group:544:rwx
group:10008:rwx
group:10131:r-x
mask::rwx
other::---
Target directory on ZFS:
Code:
# getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ 
# file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
# owner: 10051
# group: 513
              owner@:--------------:fd----:deny
              owner@:rwxpD-aA--cC-s:fd----:allow
        user:10015:-w-p---A---C--:fd----:deny
        user:10015:r-x---a---c--s:fd----:allow
        user:10049:-w-p---A---C--:fd----:deny
        user:10049:r-x---a---c--s:fd----:allow
        user:10072:-------A---C--:fd----:deny
        user:10072:rwxpD-a---c--s:fd----:allow
              group@:------a---c--s:fd----:allow
     group:10008:rwxpD-a---c--s:fd----:allow
         group:544:rwxpD-a---c--s:fd----:allow
     group:10131:r-x---a---c--s:fd----:allow
              group@:rwxp---A---C--:fd----:deny
     group:10008:-------A---C--:fd----:deny
         group:544:-------A---C--:fd----:deny
     group:10131:-w-p---A---C--:fd----:deny
        everyone@:rwxp---A---C--:fd----:deny
        everyone@:------a---c--s:fd----:allow

I was happy, but Windows made me sad. When I tried to look at permissions of a file or a directory with a Windows file browser I had warning about ordering of permissions. Then I tried to edit permissions and allowed reordering and got this result of that:

Code:
getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
# file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/
# owner: 10051
# group: 513
        user:10015:-w-pD--A---C--:fd----:deny
        user:10049:-w-pD--A---C--:fd----:deny
        user:10072:-------A---C--:fd----:deny
              group@:rwxpD--A---C--:fd----:deny
     group:10008:-------A---C--:fd----:deny
          group:544:-------A---C--:fd----:deny
     group:10131:-w-pD--A---C--:fd----:deny
        everyone@:rwxpD--A---C--:fd----:deny    <<<<<<<<<
             owner@:rwxpD-aA--cC--:fd----:allow
       user:10015:r-x---a---c---:fd----:allow
       user:10049:r-x---a---c---:fd----:allow
       user:10072:rwxpD-a---c---:fd----:allow
             group@:------a---c---:fd----:allow
    group:10008:rwxpD-a---c---:fd----:allow
         group:544:rwxpD-a---c---:fd----:allow
     group:10131:r-x---a---c---:fd----:allow
         everyone@:------a---c---:fd----:allow

But it won't work, because of (everyone@:rwxpD--A---C--:fd----:deny). It's a mess. As it turned out according to http://msdn.microsoft.com/en-us/library/windows/desktop/aa379298(v=vs.85).aspx it's a rule of ordering of Windows permissions.
 
I propose another solution that will meet both POSIX and Windows requirements. For that example:
("deny" to prevent individual "allow" permissions within groups)

Code:
owner@:--------------:fd----:deny
user:10015:-w-p---A---C--:fd----:deny
user:10049:-w-p---A---C--:fd----:deny
user:10072:-------A---C--:fd----:deny
owner@:rwxpD-aA--cC-s:fd----:allow
user:10015:r-x---a---c--s:fd----:allow
user:10049:r-x---a---c--s:fd----:allow
user:10072:rwxpD-a---c--s:fd----:allow

group@:------a---c--s:fd----:allow
group:10008:rwxpD-a---c--s:fd----:allow
group:544:rwxpD-a---c--s:fd----:allow
group:10131:r-x---a---c--s:fd----:allow
 
everyone@:------a---c--s:fd----:allow

Everyone that is not allowed is forbidden. But this is not a universal solution. What do you think about it?
 
What I really want is something like Microsoft's "resulting policy" tool. It's quite hard to find out through all that output from getfacl what is the resulting ACL for a user.
 
Back
Top