/ Markus Amersdorfer:home / university / about:me /
\ Say NO to Software-Patents! \


XFS/Samba-ACLs

Update -- 03-05-26:
I haven't tried, but according to Nathan Scott (posted on the ACL-Devel-Mailing-List) the problems I describe just below ("Update -- 03-03-01") seem to have been fixed in "XFS CVS tree" as well as "Linus'" (this probabely means a late Linux 2.5) and "Alan's trees".
Update -- 03-03-01:
I will drop XFS soon in order to replace it with ACL-patched EXT3 (work log on this as soon as I've figured everything out).
The reason for me to do so is that I have lost confidence in the current state of XFS as a stable filesystem: it has happened 3 times already, that within the last about 5 computer crashes (e.g. due to power-failure in our building) some files on my /data-partition (which uses XFS) were completely unusable: the file-size was correct, but the content was replaced with only lot's of "0x00" characters.
I lost some Sylpheed-, Gnome- and LICQ-config-files, and even some mails.
I know of places where XFS seems to run smoothly. Nevertheless, as to my personal experience, I will not use XFS for some time now (but probably will give it a try again with e.g. Linux 2.6). Perhaps all of this is due to some misconfiguration, but frankly, I don't think so. It could also be some hardware incompatabilities with the XFS-kernel-code? How knows...
Nevertheless, here is my XFS/Samba-ACL work log...

Things I used: Debian Sarge, Linux 2.4.19, SGI's XFS, Samba 2.2.3a.

Table of Contents

Kernel

Update -- 04-02-23:
Though XFS has been officially integrated in the 2.4 series, to my knowledge the code does not include any ACL or quota functionality! (Please, correct me if I'm wrong, I just don't use XFS here at the moment...)

Update -- 03-01-14:
The description provided here also works with Linux 2.4.20, just use the corresponding files and patches.

Unpack Linux 2.4.19 to /usr/src/linux-2.4.19 and make the usual symlink /usr/src/linux pointing to it.
Download xfs-2.4.19-all-i386.bz2 from ftp://oss.sgi.com/projects/xfs/download/patches/2.4.19/ and bunzip2' it to /usr/src/linux/xfs-2.4.19-all-i386.
Change to /usr/src/linux/ and execute patch -p1 < xfs-2.4.19-all-i386.

Do make xconfig and choose:

  [y] POSIX Access Control Lists
  [y] Quota support
  [y] XFS filesystem support
  [y]   Quota support

... and follow these instruction on how to build and install a Debian-Kernel-Package.

Debian-Packages

Install the following Debian Packages, e.g. using "apt-get":

The rest to get it working

User-space tools

In order to get ACLs being handled correctly when copying files, you need to do some more tweaking to your Debian-box. While this is far away from being perfect (IMHO), it's all that's possible currently (AFAIK).

Miscellaneous

Backups

SGI official

Again, taken from the official XFS FAQ:
Q: How can I backup an XFS filesystem and acls?
A: You can backup a XFS filesystem with utilities like xfsdump and standard tar for standard files. If you want to backup acls you will need to use xfsdump. This is the only tool at the moment that supports backing up of acls. Support for XFS and acls is underway at several commercial backup tools. xfsdump can be made to work with amanda.

Workaround

As xfsdump/xfsrestore often won't be possible to use (e.g. if the network is backuped to one backup server using proprietary software), here is how to do a "dirty" workaround: Install the Debian package "acl".
I moved the details to another page detailing even more on ACLs on Debian Woody.

NFS -- warning!

In order to solve problems with NFS using ACLs, you need to apply the nfsacl-patch available at acl.bestbits.org. It is for the kernel NFS daemon only.
More info can be found here.

Samba

03-07-23: For all you Red Hat users (and I suppose others too) out there: Here is an unofficial Samba + ACL Howto by Paul Eggleton.

In order to be able to change a XFS-file's/-directory's ACLs from a Windows 2000 workstation, you need to re-compile Debian's Samba packages.
Install the Debian Package

for Samba to be able to use ACLs at compile time.
Then do the following:

  mkdir ~/samba
  cd ~/samba
  apt-get source samba
  cd ~/samba/samba-2.2.3a/debian/
  vi rules
    --> and add the line "--with-acl-support \" before "--with-msdfs)"
  vi config.cache
    --> replace "ac_cv_header_sys_acl_h=${ac_cv_header_sys_acl_h=no}"
        with    "ac_cv_header_sys_acl_h=${ac_cv_header_sys_acl_h=yes}"
  cd ~/samba/samba-2.2.3a/
  dpkg-buildpackage
  cd ~/samba/
  dpkg -i [all those packages, you've currently already installed]

Don't forget to set "nt acl support = yes" in your smb.conf, and you'll be able to set ACLs as finegrained as you like on your XFS partition, even via Samba using w2k's file-properties dialog window.

For this Samba-stuff to work perfectly fine, best join the domain with your machine. When editing some file's ACLs, you'll then be able to directly from within w2k add users known to the domain and set the rights as you wish.
(Before joining the domain, I had to add some default ACL-rights for this user using "setfacl" and then could change the rights from within Windows as the user appeared in the dialog window. Joining the domain solved this: you're able to set ACL-based access rights for a domain-user not already associated in any way with the correspondig file/directory.)

Important:
Set all the manually recompiled and installed packages in dselect to "HOLD" in order to avoid having the package system replace them with the Debian default packages. (This could otherwise become a security threat as your ACLs would not work anymore with the standard Samba packages and Linux' default access rights might be too permissive.)
BUT don't forget to "manually" take care of security updates to these Samba-packages which are set to "HOLD" as for example the Debian Security Team released an update to samba_2.2.3a-12 on 22 Nov 2002.

Add-On -- 03-06-06:
Thanks a lot to Markus Kiefer for the following feedback I received from him: When using the Debian Woody versions of the packages libacl1 and libattr1, Samba didn't support ACLs. Upgrading to a backport of Sarge's versions (2.2.9 and 2.4.3) solved the problem. (Check out this german posting for more information.)


Valid HTML 4.01! Valid CSS! Created with Vim [Blue Ribbon Campaign icon]
© Markus Amersdorfer (markus<dott>amersdorfer<att>subnet<dott>at)
last modified: 2010-02-23 15:51:49
5140 hits