WIP: AD DC provisioning with nfs4acl_xattr instead of acl_xattr
The objective is to enable the provisioning of an AD DC with the nfs4acl_xattr VFS module replacing the acl_xattr module.
Filesystems with support for NFS 4.1 ACLs could then enforce file and directory access restrictions via the OS.
Like acl_xattr, the nfs4acl_xattr VFS module should in theory provide a Windows ACL compatible backing store.
However, there are subtle differences which require code changes to just enable the provisioning process.
- nfs4acl_xattr doesn't support POSIX ACLs because it provides NFS4 ACLs
- NFS4 ACLs are not directly accessible in a "security.NTACL" extended attribute
- the code storing NFS4 ACLs is consolidating redundant or non applicable ACEs which acl_xattr is not doing
- NFS4 ACLs require a mapping between SIDs and POSIX uids/gids
The patches in this merge request address the above differences/issues for the provisioning process of an AD DC.
The changes only take effect if the nfs4acl_xattr VFS module is included in the list of vfs objects.
To enable testing this feature via the samba selftest facility an environment variable TESTENV_USE_NFS4ACLS is introduced.
If defined, the test environments will be generated with AD DCs that use the nfs4acl_xattr module, which can be verified with:
TESTENV_USE_NFS4ACLS=1 SELFTEST_TESTENV=ad_dc:local make testenv
What's missing is to run the relevant tests that could highlight eventually broken functionality.
Unfortunately I experienced so many tests failing in a standard setup using acl_xattr that I gave up my initial plan to identify nfs4acl_xattr caused issues based on pure test failures. There were simply too many tests failing in both environments.
Maybe I was doing something wrong.
I'm also lacking the knowledge to select relevant tests from the plethora of available testsuites. Nevertheless I would be happy to run those tests which could highlight issues if they pass in the standard acl_xattr setup and fail with nfs4acl_xattr.
Checklist
-
Commits have Signed-off-by:
with name/author being identical to the commit author -
(optional) This MR is just one part towards a larger feature. -
(optional, if backport required) Bugzilla bug filed and BUG:
tag added -
Test suite updated with functionality tests -
Test suite updated with negative tests -
Documentation updated -
CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)
Reviewer's checklist:
-
There is a test suite reasonably covering new functionality or modifications -
Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
-
This feature/change has adequate documentation added -
No obvious mistakes in the code