From 534b88dea210f5a35c16031d1c3a97bf182dd5a8 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bj=C3=B6rn=20Jacke?= Date: Sun, 11 Sep 2022 21:35:07 +0200 Subject: [PATCH] docs-xml: some fixes and updates for ea and acl docs in smb.conf Signed-off-by: Bjoern Jacke Reviewed-by: Andrew Bartlett --- docs-xml/smbdotconf/protocol/easupport.xml | 9 +++------ docs-xml/smbdotconf/protocol/mapaclinherit.xml | 18 +++++++++++------- docs-xml/smbdotconf/security/inheritacls.xml | 7 +++++-- 3 files changed, 19 insertions(+), 15 deletions(-) diff --git a/docs-xml/smbdotconf/protocol/easupport.xml b/docs-xml/smbdotconf/protocol/easupport.xml index 403e48f5a89..fd425e8b514 100644 --- a/docs-xml/smbdotconf/protocol/easupport.xml +++ b/docs-xml/smbdotconf/protocol/easupport.xml @@ -18,12 +18,9 @@ Note that the SMB protocol allows setting attributes whose value is 64K bytes long, and that on NTFS, the maximum storage space for extended attributes per file is 64K. - On most UNIX systems (Solaris and ZFS file system being the exception), the limits - are much lower - typically 4K. Worse, the same 4K space is often used to store - system metadata such as POSIX ACLs, or Samba's NT ACLs. Giving clients - access to this tight space via extended attribute support could consume all - of it by unsuspecting client applications, which would prevent changing - system metadata due to lack of space. + On some filesystem the limits may be lower. Filesystems with too limited EA + space may experience unexpected weird effects. + The default has changed to yes in Samba release 4.9.0 and above to allow better Windows fileserver compatibility in a default install. diff --git a/docs-xml/smbdotconf/protocol/mapaclinherit.xml b/docs-xml/smbdotconf/protocol/mapaclinherit.xml index 28271f9d66b..c248a333b5c 100644 --- a/docs-xml/smbdotconf/protocol/mapaclinherit.xml +++ b/docs-xml/smbdotconf/protocol/mapaclinherit.xml @@ -3,13 +3,17 @@ type="boolean" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This boolean parameter controls whether smbd - 8 will attempt to map the 'inherit' and 'protected' - access control entry flags stored in Windows ACLs into an extended attribute - called user.SAMBA_PAI (POSIX ACL Inheritance). This parameter requires - supports for extended attributes on the filesystem and - allows the Windows ACL editor to store inheritance information while - NT ACLs are mapped best-effort to the POSIX ACLs. + This boolean parameter is only relevant for systems that do not support + standardized NFS4 ACLs but only a POSIX draft implementation of ACLs. Linux + is the only common UNIX system which does still not offer standardized NFS4 + ACLs actually. On such systems this parameter controls whether + smbd + 8 will attempt to map the 'protected' + (don't inherit) flags of the Windows ACLs into an extended attribute called + user.SAMBA_PAI (POSIX draft ACL Inheritance). This parameter requires + support for extended attributes on the filesystem and allows the Windows + ACL editor to store (non-)inheritance information while NT ACLs are mapped + best-effort to the POSIX draft ACLs that the OS and filesystem implements. no diff --git a/docs-xml/smbdotconf/security/inheritacls.xml b/docs-xml/smbdotconf/security/inheritacls.xml index 4c6caefc920..4f1bf995d7a 100644 --- a/docs-xml/smbdotconf/security/inheritacls.xml +++ b/docs-xml/smbdotconf/security/inheritacls.xml @@ -3,12 +3,15 @@ type="boolean" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter can be used to ensure that if default acls + This parameter is only relevant for filesystems that + do not support standardized NFS4 ACLs but only a POSIX draft ACL + implementation and which implements default ACLs like most filesystems + on Linux. It can be used to ensure that if default ACLs exist on parent directories, they are always honored when creating a new file or subdirectory in these parent directories. The default behavior is to use the unix mode specified when creating the directory. Enabling this option sets the unix mode to 0777, thus guaranteeing that - default directory acls are propagated. + the default directory ACLs are propagated. Note that using the VFS modules acl_xattr or acl_tdb which store native Windows as meta-data will automatically turn this option on for any -- 2.47.3