'\" t .\" Title: vfs_nfs4acl_xattr .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 04/07/2024 .\" Manual: System Administration tools .\" Source: Samba 4.20.0 .\" Language: English .\" .TH "VFS_NFS4ACL_XATTR" "8" "04/07/2024" "Samba 4\&.20\&.0" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" vfs_nfs4acl_xattr \- Save NTFS\-ACLs as NFS4 encoded blobs in extended attributes .SH "SYNOPSIS" .HP \w'\ 'u vfs objects = nfs4acl_xattr .SH "DESCRIPTION" .PP This VFS module is part of the \fBsamba\fR(7) suite\&. .PP The vfs_acl_xattr VFS module stores NTFS Access Control Lists (ACLs) in Extended Attributes (EAs/xattrs)\&. This enables the full mapping of Windows ACLs on Samba servers\&. .PP This module is stackable\&. .SH "OPTIONS" .PP nfs4:mode = [ simple | special ] .RS 4 Controls substitution of special IDs (OWNER@ and GROUP@) on NFS4 ACLs\&. The use of mode simple is recommended\&. In this mode only non inheriting ACL entries for the file owner and group are mapped to special IDs\&. .sp The following MODEs are understood by the module: .RS .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} simple(default) \- use OWNER@ and GROUP@ special IDs for non inheriting ACEs only\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} special(deprecated) \- use OWNER@ and GROUP@ special IDs in ACEs for all file owner and group ACEs\&. .RE .sp .RE .RE .PP nfs4:acedup = [dontcare|reject|ignore|merge] .RS 4 This parameter configures how Samba handles duplicate ACEs encountered in NFS4 ACLs\&. They allow creating duplicate ACEs with different bits for same ID, which may confuse the Windows clients\&. .sp Following is the behaviour of Samba for different values : .RS .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} dontcare \- copy the ACEs as they come .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} reject (deprecated) \- stop operation and exit with error on ACL set op .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} ignore (deprecated) \- don\*(Aqt include the second matching ACE .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} merge (default) \- bitwise OR the 2 ace\&.flag fields and 2 ace\&.mask fields of the 2 duplicate ACEs into 1 ACE .RE .sp .RE .RE .PP nfs4:chown = [yes|no] .RS 4 This parameter allows enabling or disabling the chown supported by the underlying filesystem\&. This parameter should be enabled with care as it might leave your system insecure\&. .sp Some filesystems allow chown as a) giving b) stealing\&. It is the latter that is considered a risk\&. .sp Following is the behaviour of Samba for different values : .RS .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} yes \- Enable chown if as supported by the under filesystem .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} no (default) \- Disable chown .RE .sp .RE .RE .PP nfs4acl_xattr:encoding = [nfs|ndr|xdr] .RS 4 This parameter configures the marshaling format used in the ACL blob and the default extended attribute name used to store the blob\&. .sp When set to \fInfs\fR \- fetch and store the NT ACL in NFS 4\&.0 or 4\&.1 compatible XDR encoding\&. By default this uses the extended attribute "system\&.nfs4_acl"\&. This setting also disables \fIvalidate_mode\fR\&. .sp When set to \fIndr (default)\fR \- store the NT ACL with POSIX draft NFSv4 compatible NDR encoding\&. By default this uses the extended attribute "security\&.nfs4acl_ndr"\&. .sp When set to \fIxdr\fR \- store the NT ACL in a format similar to NFS 4\&.1 RFC 5661 in XDR encoding\&. The main differences to RFC 5661 are the use of ids instead of strings as users and group identifiers and an additional attribute per nfsace4\&. By default this encoding stores the blob in the extended attribute "security\&.nfs4acl_xdr"\&. .RE .PP nfs4acl_xattr:version = [40|41] .RS 4 This parameter configures the NFS4 ACL level\&. Only \fI41\fR fully supports mapping NT ACLs and should be used\&. The default is \fI41\fR\&. .RE .PP nfs4acl_xattr:default acl style = [posix|windows|everyone] .RS 4 This parameter determines the type of ACL that is synthesized in case a file or directory lacks an ACL extended attribute\&. .sp When set to \fIposix\fR, an ACL will be synthesized based on the POSIX mode permissions for user, group and others, with an additional ACE for \fINT Authority\eSYSTEM\fR will full rights\&. .sp When set to \fIwindows\fR, an ACL is synthesized the same way Windows does it, only including permissions for the owner and \fINT Authority\eSYSTEM\fR\&. .sp When set to \fIeveryone\fR, an ACL is synthesized giving full permissions to everyone (S\-1\-1\-0)\&. .sp The default for this option is \fIeveryone\fR\&. .RE .PP nfs4acl_xattr:xattr_name = STRING .RS 4 This parameter configures the extended attribute name used to store the marshaled ACL\&. .sp The default depends on the setting for \fInfs4acl_xattr:encoding\fR\&. .RE .PP nfs4acl_xattr:nfs4_id_numeric = yes|no (default: no) .RS 4 This parameter tells the module how the NFS4 server encodes user and group identifiers on the network\&. With the default setting the module expects identifiers encoded as per the NFS4 RFC as user@domain\&. .sp When set to \fIyes\fR, the module expects the identifiers as numeric string\&. .sp The default for this options\fIno\fR\&. .RE .PP nfs4acl_xattr:validate_mode = yes|no .RS 4 This parameter configures whether the module enforces the POSIX mode is set to 0777 for directories and 0666 for files\&. If this constrained is not met, the xattr with the ACL blob is discarded\&. .sp The default depends on the setting for \fInfs4acl_xattr:encoding\fR: when set to \fInfs\fR this setting is disabled by default, otherwise it is enabled\&. .RE .SH "EXAMPLES" .PP A directory can be exported via Samba using this module as follows: .sp .if n \{\ .RS 4 .\} .nf \fI[samba_gpfs_share]\fR \m[blue]\fBvfs objects = nfs4acl_xattr\fR\m[] \m[blue]\fBpath = /foo/bar\fR\m[] .fi .if n \{\ .RE .\} .SH "AUTHOR" .PP The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.