|
|
United States-English | |
|
|
 |
|
HP CIFS Server 2.2g Administrator's Guide: HP-UX 11.0, 11i version 1 and 2 > Chapter 3 Managing
HP-UX File Access Permissions from Windows NT/XP/2000
Configuring Samba ACL Support |
|
|
In non-HP Samba versions, you could only turn Samba's NT ACL Support on or off on a serverwide basis. When turned on, UNIX file permission support was enabled for all Samba shares. There was no support for any ACL scheme, including VxFS POSIX ACLs. Instead, you configured the old NT ACL support through the smb.conf variable nt acl support. This functionality is still supported in the HP CIFS product. In HP CIFS, however, there is a new smb.conf variable that you can use to configure Samba ACL support. And, with this Samba version, you may configure every share on the Samba server differently. Since there may be many UNIX file systems under the root of a Samba share, one Samba share may have files on HFS file systems, VxFS 3.3 file systems, NFS file systems, and older VxFS file systems. If you assign one type of ACL support for the share, you might not be taking full advantage of the capabilities of each file system located there. So with this version of Samba you can create a list of ACL schemes for each share. The list of ACL schemes specifies the order that ACL schemes will be attempted on a file in that share. Currently the ACL scheme unix is supported (meaning UNIX file permissions) and hpux_posix is supported (meaning VxFS POSIX ACLs on HP-UX). In the examples below, assume that HP-UX HFS ACLs are also supported and that this scheme is called hpux_hfs. The name of the per-share variable in the smb.conf is acl_schemes. Following are five examples of ACL schemes. Example 1: acl schemes = hpux_posix hpux_hfs unix If a share has this acl schemes parameter set, Samba will attempt to use VxFS POSIX ACLs. If that scheme is not supported, it trys HFS ACLs. And, if that scheme is not supported, it would use UNIX file permissions. If a Windows client makes a request to see the ACL for a file on an HFS file system in that share, Samba attempts to use the POSIX ACL system call. It will fail and return an error indicating that the ACL scheme is not supported on that file. Then Samba would try the HFS ACL system call and it would succeed. The user would not see the initial failure described in this example. Example 2: acl schemes = unix This is the default ACL scheme. The default ignores UNIX ACL capabilities and uses UNIX file permissions, as was the case with previous versions of Samba. Example 3: acl schemes = none This ACL example turns off all ACL support for the share and causes an error to be returned whenever a client tries to get or to set ACL information on any file system on the share. Example 4: acl schemes = hpux_posix This ACL example supports only VxFS POSIX ACLs on the entire share. For files on NFS, HFS or VxFS pre 3.3 file systems, all attempts from the client to get or to set ACLs will fail. This example will not fall back to the UNIX file permissions. ACL support will only work for files on file systems supporting POSIX ACLs (currently VxFS 3.3 or higher). Example 5: acl schemes = unix hpux_posix This ACL example is the same as setting acl scheme to unix (Example 2) because UNIX file permissions are supported on every UNIX file system type. This means the scheme will never fall through to the next ACL scheme in the list. The unix scheme will be the first and last scheme attempted in each case. The examples described above show how any combination of ACL schemes can be supported on a Samba share. If you plan to have many schemes in the ACL scheme list, you will want to setup the best order to maximize efficiency. For example, if the files accessed the most are all on a VxFS 3.3 file system, put hpux_posix first on the ACL scheme list for that share. Otherwise, Samba will make many system calls for other ACL schemes before it locates the right one. This prioritization will become even more important in the future when Samba supports more and more ACL types. With HP CIFS Server version A.01.08, the “nt acl support” configuration variable is made share level. It was previously a Global level variable. Its default value is “yes”. Using this variable, users can now control the ACL support on a per-share basis. Except for setting the above variable, there is no other special configuration needed for supporting ACLs. For a share supporting NT ACLs, the CIFS Server always tries to get, or set, POSIX ACLs on the Unix file system. If the underlying file system does not support POSIX ACLs, then the CIFS Server will use the Unix file permissions. In such a case, the user will only be able to set or get the three default ACEs (owner, group and everyone). Additional ACEs will be ignored. With version A.01.08 of the CIFS Server, the configuration variable “acl schemes” (exists in version A.01.07, and below) is not supported. However, having this variable in the configuration file will not hurt CIFS Server operation. The user is advised to remove or comment out occurrences of these variables from the configuration file (smb.conf) to prevent confusion.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 Printable version |
|
|
|
|
|
|||||||||||||||
|
|||||||||||||||
