Skip to content

WIP: AD DC provisioning with nfs4acl_xattr instead of acl_xattr

Thomas Geppert requested to merge geppi/samba:master into master

The objective is to enable the provisioning of an AD DC with the nfs4acl_xattr VFS module replacing the acl_xattr module.
Filesystems with support for NFS 4.1 ACLs could then enforce file and directory access restrictions via the OS.

Like acl_xattr, the nfs4acl_xattr VFS module should in theory provide a Windows ACL compatible backing store.
However, there are subtle differences which require code changes to just enable the provisioning process.

  • nfs4acl_xattr doesn't support POSIX ACLs because it provides NFS4 ACLs
  • NFS4 ACLs are not directly accessible in a "security.NTACL" extended attribute
  • the code storing NFS4 ACLs is consolidating redundant or non applicable ACEs which acl_xattr is not doing
  • NFS4 ACLs require a mapping between SIDs and POSIX uids/gids

The patches in this merge request address the above differences/issues for the provisioning process of an AD DC.
The changes only take effect if the nfs4acl_xattr VFS module is included in the list of vfs objects.

To enable testing this feature via the samba selftest facility an environment variable TESTENV_USE_NFS4ACLS is introduced.
If defined, the test environments will be generated with AD DCs that use the nfs4acl_xattr module, which can be verified with:

TESTENV_USE_NFS4ACLS=1 SELFTEST_TESTENV=ad_dc:local make testenv

What's missing is to run the relevant tests that could highlight eventually broken functionality.
Unfortunately I experienced so many tests failing in a standard setup using acl_xattr that I gave up my initial plan to identify nfs4acl_xattr caused issues based on pure test failures. There were simply too many tests failing in both environments.
Maybe I was doing something wrong.

I'm also lacking the knowledge to select relevant tests from the plethora of available testsuites. Nevertheless I would be happy to run those tests which could highlight issues if they pass in the standard acl_xattr setup and fail with nfs4acl_xattr.

Checklist

  • Commits have Signed-off-by: with name/author being identical to the commit author
  • (optional) This MR is just one part towards a larger feature.
  • (optional, if backport required) Bugzilla bug filed and BUG: tag added
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated
  • CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)

Reviewer's checklist:

  • There is a test suite reasonably covering new functionality or modifications
  • Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code

Merge request reports