Contenu de la page
Aller au menu contextuel - Aller au menu principal
ACLs in Samba 2.2 with an ext3 filesystem mini-howto
Adelux, Sébastien -Yeiazel- Munch
mailto:sebastien.munch@adelux.fr
v1.1, October 2002
This document describes how to make SAMBA work with Windows-compatible ACLs on a Linux system with an ext3 filesystem. It should also be useful with other filesystems, because many parts are filesystem-independants. This procedure has been tested with Debian Woody GNU/Linux 3.0r0, Linux 2.4.19, EA 0.8.26 and ACL 0.8.28 patches, and Samba 2.2.5 from the source files.
1. Introduction
This document is written and based on a test by Sébastien Munch from Adelux, using the official ACL and Samba documentations, and articles from IBM developerWorks.
1.1 Copyright
Copyright © 2002 Adelux.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license can be found at http://www.gnu.org/copyleft/fdl.html.
1.2 Errors, mistakes, etc.
If you find any error, mistake or bug in this document, or if you know something that would be good to be added, just send an email to the author, mailto:sebastien.munch@adelux.fr.
2. Preparing GNU/Linux
There are some steps to follow before being able to use ACLs with your system, including with Samba. In fact, Samba "transforms" Win32 ACLs into POSIX ACLs; however, these ACLs are not included by default in all filesystems.
For example, XFS has native ACLs support; that's why many situations for ACLs in Samba use this filesystem. This section presents how to make ACLs work with the Ext3 (and Ext2) filesystem.
(You can find a step-by-step guide in the EA and ACLs in Linux official website.
2.1 Patching your kernel
In order to enable ACLs with the Ext2 and Ext3 filesystems, you have to patch your kernel. You can find the required patches in the Extended attributes and access control lists website. (You can find a step-by-step guide in the same site.)
You have to download the right linux-a.b.cea-x.y.z.diff.gz and the linux-a.b.cacl-x.y.z.diff.gz (Extended
attributes and Access control list) files for your Linux
version.
Once downloaded...
Be sure to have a linux source directory uncompressed in /usr/src/
Copy both files in your sources directory, and uncompress them:
cp linux-a.b.cea-x.y.z.diff.gz /usr/src
cp linux-a.b.cacl-x.y.z.diff.gz /usr/src
cd /usr/src
gunzip linux-a.b.cea-x.y.z.diff.gz
gunzip linux-a.b.cacl-x.y.z.diff.gz
Then, copy them in your linux sources directory and cd into it:
cp linux-a.b.c*-x.y.z.diff linux-a.b.c
cd linux-a.b.c
or
cp linux-a.b.c*-x.y.z.diff linux
cd linux
Finally, patch the linux kernel sources with both patches :
patch -p1 < linux-a.b.cea-x.y.z.diff
patch -p1 < linux-a.b.cacl-x.y.z.diff
If you use a Debian system, you can use the .deb kernel sources
and patches: apt-get install kernel-source-2.4.18
kernel-patch-acl for example. However, I prefer downloading the last
versions on the official websites.
Select the right options
Then activate the right kernel options: CONFIG_FS_POSIX_ACL,
CONFIG_EXT3_FS_XATTR, CONFIG_EXT3_FS_POSIX_ACL (for the ext3
filesystem), CONFIG_EXT2_FS_XATTR and
CONFIG_EXT2_FS_POSIX_ACL (for the ext2 filesystem).
In the make menuconfig of Linux 2.4.19, you can find them in
the File systems menu :
POSIX Access Control Lists,
Ext3 extended attributes (NEW),
Ext3 POSIX Access Control Lists,
Ext2 extended attributes (NEW) and
Ext2 POSIX Access Control Lists.
Build the kernel
Next, build the kernel as usual, core and modules...
2.2 Installing the utilities
You can find RPM binaries, RPM source files and targz source files of the needed utilities in the EA and ACL website, if you use any of these distributions based on RPM or any other distribution. For a Debian GNU/Linux system, all these utilities can be installed from the standard packages source. These utilities are a patched version of e2fsprogs, libattr, libacl, acl, and a patched version of fileutils. With a Debian (Woody) system, install them using the following command :
apt-get install libattr1 libacl1 acl
This Debian command does not install patched e2fsprogs and fileutils packages. However, ACLs are working without them on my test platform for the moment; either they don't seem to be necessary or the debian packages don't need to be patched.
2.3 Mount and fstab
The final step is to make the filesystem mounted with the right option.
This option is "attr=acl". To mount the filesystem by hand, just add
this option as an argument to the -o option of mount
(mount [...] -o attr=acl[...]).
To make it permanent, change the /etc/fstab file: add
"attr=acl" to the "<options>" column of the line you want.
Update
Tested with patches version >= 0.8.50 :
The "attr=acl" mount option is now replaced simply by "acl".
2.4 Basic ACL usage with GNU/Linux
There are two main new utilities introduced by the use of ACLs:
setfacl and getfacl. Read their manpages for detailed
instructions.
setfacl
The syntax is : "setfacl <option> <permissions> <filename>"
options are :
-m to modify the current permissions
-s to replace the current permissions
-x to remove an ACL entry
permissions are :
[d[efault]:][u[ser]:]<uid>[:<perms>] : Permissions of a
named user. Permissions of the file owner if uid is empty.
[d[efault]:]g[roup]:<gid>[:<perms>] : Permissions of a
named group. Permissions of the owning group if gid is empty.
[d[efault]:]m[ask][:][:<perms>] : Effective rights
mask.
[d[efault]:]o[ther][:][:<perms>] : Permissions of others.
getfacl
Use getfacl <filename> to see the ACL permissions of a file.
3. Configuring Samba
There is, in fact, few to do to make Samba work with ACLs
: you just need to compile it with the --with-acl-support option. The
Debian Samba package is not compiled with --with-acl-support,
that's why you should recompile it to activate this option.
3.1 Samba recompilation
You need to compile Samba with the --with-acl-support
option. The Debian Woody package isn't compiled with this option by
default, and I don't think other distributions include this option in their
Samba packages (at least for the moment).
I don't use the Debian source package, because it's broken : it can't
compile correctly with the --with-acl-support option unless you do
many modifications.
Downloading the source
Choose a download site in the
Samba website, and download the samba
tar.bz2 archive (samba-2.2.x.tar.bz2).
Then uncompress it :
tar jxf samba-2.2.x.tar.bz2 or
tar Ixf samba-2.2.*.tar.bz2
(depending on the tar version).
and enter into its directory :
cd samba-2.2.x
Compiling samba
Before building the package, you will at least need these packages, which are libraries headers or compilation utilities (this list is not exhaustive, please send me an email if dpkg-buildpackage asks for other packages) :
apt-get install debhelper libpam0g-dev libreadline4-dev libcupsys2-dev
autoconf
You also have to install the testing (sarge) acl packages :
change "woody" or "stable" in the
/etc/apt/sources.list file with "sarge", install these
packages
apt-get update && apt-get install acl-dev libacl1 libattr1 acl
and change "sarge" back to "woody" (and then apt-get
update).
Go into the sources directory
cd source
and execute the configure script with the needed options. I've chosen
to use the same options as for the Debian package, just changing the
--prefix and adding the --with-acl-support option. Just do as
you need.
./configure --host=i386-linux --build=i386-linux --with-fhs
--prefix=/usr/local --sysconfdir=/etc --with-privatedir=/etc/samba
--localstatedir=/var --with-netatalk --with-smbmount --with-pam --with-syslog
--with-sambabook --with-utmp --with-readline --with-pam_smbpass
--with-libsmbclient --with-winbind --with-msdfs --with-acl-support
Then compile Samba and install it
make
make install
Making startup scripts
You now just need to make startup and shutdown scripts for samba. The following describes the way to do it for a Debian system :
Put the following lines in the /etc/init.d/samba file :
#!/bin/sh
test -x /usr/sbin/nmbd -a -x /usr/sbin/smbd || exit 0
case "$1" in
start)
echo -n "Starting Samba daemons:"
echo -n " nmbd"
start-stop-daemon --start --quiet --exec /usr/local/sbin/nmbd -- -D
echo -n " smbd"
start-stop-daemon --start --quiet --exec /usr/local/sbin/smbd -- -D
echo "."
;;
stop)
echo -n "Stopping Samba daemons:"
echo -n " nmbd"
start-stop-daemon --stop --quiet --pidfile /var/run/samba/nmbd.pid
echo -n " smbd"
start-stop-daemon --stop --quiet --pidfile /var/run/samba/smbd.pid
echo "."
;;
reload)
echo -n "Reloading /etc/samba/smb.conf (smbd only)"
start-stop-daemon --stop --signal HUP --pidfile /var/run/samba/smbd.pid
echo "."
;;
restart|force-reload)
echo -n "Restarting Samba daemons:"
echo -n " nmbd"
start-stop-daemon --stop --quiet --pidfile /var/run/samba/nmbd.pid
sleep 2
start-stop-daemon --start --quiet --exec /usr/sbin/nmbd -- -D
echo -n " smbd"
start-stop-daemon --stop --quiet --pidfil/var/run/samba/smbd.pid
sleep 2
start-stop-daemon --start --quiet --exec /usr/sbin/smbd -- -D
echo "."
;;
*)
echo "Usage: /etc/init.d/samba {start|stop|reload|restart|force-reload}"
exit 1
;;
esac
exit 0
make this file executable (chmod u+x /etc/init.d/samba), and then make
the needed links in the rc.d directories : update-rc.d samba
defaults. Now, Samba should starts every time the computer boots.
3.2 Samba configuration
The "nt acl support" option, which is needed for samba to
translate Win32 ACLs to POSIX ACLs, is on by default. For the
other options, just do as you want.
There is no more configuration needed; your filesystem supports ACLs, Samba supports them, alright... it works !