From owner-freebsd-fs@FreeBSD.ORG Fri Oct 11 13:58:10 2013 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id C495B773 for ; Fri, 11 Oct 2013 13:58:10 +0000 (UTC) (envelope-from proks@skylinetele.com) Received: from mail.sky.od.ua (relay.sky.od.ua [81.25.224.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DF4542704 for ; Fri, 11 Oct 2013 13:58:08 +0000 (UTC) Received: from relay.sky.od.ua (mail [81.25.224.8]) by mail.sky.od.ua (Postfix) with ESMTP id DACC0106885 for ; Fri, 11 Oct 2013 16:48:00 +0300 (EEST) X-Virus-Scanned: amavisd-new at sky.od.ua Received: from mail.sky.od.ua ([81.25.224.8]) by relay.sky.od.ua (relay.sky.od.ua [81.25.224.8]) (amavisd-new, port 10024) with ESMTP id OpcrBv5XayUq for ; Fri, 11 Oct 2013 16:47:58 +0300 (EEST) Received: from logos.sky.od.ua (logos.sky.od.ua [81.25.224.11]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sky.od.ua (Postfix) with ESMTPS id 2D7AB10687B for ; Fri, 11 Oct 2013 16:47:58 +0300 (EEST) Message-ID: <5258018D.2040301@skylinetele.com> Date: Fri, 11 Oct 2013 16:47:57 +0300 From: "Prokofiev S.P." Organization: Skyline Telecom. User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.0 MIME-Version: 1.0 To: freebsd-fs@freebsd.org Subject: Mapping POSIX ACLs to NFSv4 ACLs for Samba storage Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Oct 2013 13:58:10 -0000 Hi all, I propose to talk about an issue. I have a task of moving data from UFS+ACLs storage to a ZFS pool. Dump/restrore is the best way. But only owner/owner_group is saved. I've written a Perl script to translate POSIX ACLs to NFSv4 ACLs. I referred to the last draft of it (http://tools.ietf.org/html/draft-iet...acl-mapping-05 ) to emulate POSIX behaviour of permissions. I got something like that, for instance: Source directory on UFS: Code: > getfacl /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ # file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ # owner: 10051 # group: 513 user::rwx user:10015:r-x user:10049:r-x user:10072:rwx group::--- group:544:rwx group:10008:rwx group:10131:r-x mask::rwx other::--- > getfacl -d /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ # file: /zjail/ads/home/samba-old/docs/SECRETARY/CERTIFICATE/ # owner: 10051 # group: 513 user::rwx user:10015:r-x user:10049:r-x user:10072:rwx group::--- group:544:rwx group:10008:rwx group:10131:r-x mask::rwx other::--- Target directory on ZFS: Code: # getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ # file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ # owner: 10051 # group: 513 owner@:--------------:fd----:deny owner@:rwxpD-aA--cC-s:fd----:allow user:10015:-w-p---A---C--:fd----:deny user:10015:r-x---a---c--s:fd----:allow user:10049:-w-p---A---C--:fd----:deny user:10049:r-x---a---c--s:fd----:allow user:10072:-------A---C--:fd----:deny user:10072:rwxpD-a---c--s:fd----:allow group@:------a---c--s:fd----:allow group:10008:rwxpD-a---c--s:fd----:allow group:544:rwxpD-a---c--s:fd----:allow group:10131:r-x---a---c--s:fd----:allow group@:rwxp---A---C--:fd----:deny group:10008:-------A---C--:fd----:deny group:544:-------A---C--:fd----:deny group:10131:-w-p---A---C--:fd----:deny everyone@:rwxp---A---C--:fd----:deny everyone@:------a---c--s:fd----:allow I was happy, but Windows made me sad. When I tried to look at permissions of a file or a directory with a Windows file browser I had warning about ordering of permissions. Then I tried to edit permissions and allowed reordering and got this result of that: Code: getfacl /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ # file: /zjail/ads/home/samba-new/docs/SECRETARY/CERTIFICATE/ # owner: 10051 # group: 513 user:10015:-w-pD--A---C--:fd----:deny user:10049:-w-pD--A---C--:fd----:deny user:10072:-------A---C--:fd----:deny group@:rwxpD--A---C--:fd----:deny group:10008:-------A---C--:fd----:deny group:544:-------A---C--:fd----:deny group:10131:-w-pD--A---C--:fd----:deny everyone@:rwxpD--A---C--:fd----:deny <<<<<<<<< owner@:rwxpD-aA--cC--:fd----:allow user:10015:r-x---a---c---:fd----:allow user:10049:r-x---a---c---:fd----:allow user:10072:rwxpD-a---c---:fd----:allow group@:------a---c---:fd----:allow group:10008:rwxpD-a---c---:fd----:allow group:544:rwxpD-a---c---:fd----:allow group:10131:r-x---a---c---:fd----:allow everyone@:------a---c---:fd----:allow But it won't work, because of (everyone@:rwxpD--A---C--:fd----:deny). It's a mess. As it turned out according to http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx it's a rule of ordering of Windows permissions.