Provided by: samba-vfs-modules_4.17.7+dfsg-1ubuntu1_amd64 bug

NAME
       vfs_nfs4acl_xattr - Save NTFS-ACLs as NFS4 encoded blobs in extended attributes


SYNOPSIS
       vfs objects = nfs4acl_xattr


DESCRIPTION
       This VFS module is part of the samba(7) suite.

       The vfs_acl_xattr VFS module stores NTFS Access Control Lists (ACLs) in Extended
       Attributes (EAs/xattrs). This enables the full mapping of Windows ACLs on Samba servers.

       This module is stackable.


OPTIONS
       nfs4:mode = [ simple | special ]
           Controls substitution of special IDs (OWNER@ and GROUP@) on NFS4 ACLs. The use of mode
           simple is recommended. In this mode only non inheriting ACL entries for the file owner
           and group are mapped to special IDs.

           The following MODEs are understood by the module:

                  •   simple(default) - use OWNER@ and GROUP@ special IDs for non inheriting ACEs
                      only.

                  •   special(deprecated) - use OWNER@ and GROUP@ special IDs in ACEs for all
                      file owner and group ACEs.

       nfs4:acedup = [dontcare|reject|ignore|merge]
           This parameter configures how Samba handles duplicate ACEs encountered in NFS4 ACLs.
           They allow creating duplicate ACEs with different bits for same ID, which may confuse
           the Windows clients.

           Following is the behaviour of Samba for different values :

                  •   dontcare - copy the ACEs as they come

                  •   reject (deprecated) - stop operation and exit with error on ACL set op

                  •   ignore (deprecated) - don't include the second matching ACE

                  •   merge (default) - bitwise OR the 2 ace.flag fields and 2 ace.mask fields of
                      the 2 duplicate ACEs into 1 ACE

       nfs4:chown = [yes|no]
           This parameter allows enabling or disabling the chown supported by the underlying
           filesystem. This parameter should be enabled with care as it might leave your system
           insecure.

           Some filesystems allow chown as a) giving b) stealing. It is the latter that is
           considered a risk.

           Following is the behaviour of Samba for different values :

                  •   yes - Enable chown if as supported by the under filesystem

                  •   no (default) - Disable chown

       nfs4acl_xattr:encoding = [nfs|ndr|xdr]
           This parameter configures the marshaling format used in the ACL blob and the default
           extended attribute name used to store the blob.

           When set to nfs - fetch and store the NT ACL in NFS 4.0 or 4.1 compatible XDR
           encoding. By default this uses the extended attribute "system.nfs4_acl". This setting
           also disables validate_mode.

           When set to ndr (default) - store the NT ACL with POSIX draft NFSv4 compatible NDR
           encoding. By default this uses the extended attribute "security.nfs4acl_ndr".

           When set to xdr - store the NT ACL in a format similar to NFS 4.1 RFC 5661 in XDR
           encoding. The main differences to RFC 5661 are the use of ids instead of strings as
           users and group identifiers and an additional attribute per nfsace4. By default this
           encoding stores the blob in the extended attribute "security.nfs4acl_xdr".

       nfs4acl_xattr:version = [40|41]
           This parameter configures the NFS4 ACL level. Only 41 fully supports mapping NT ACLs
           and should be used. The default is 41.

       nfs4acl_xattr:default acl style = [posix|windows|everyone]
           This parameter determines the type of ACL that is synthesized in case a file or
           directory lacks an ACL extended attribute.

           When set to posix, an ACL will be synthesized based on the POSIX mode permissions for
           user, group and others, with an additional ACE for NT Authority\SYSTEM will full
           rights.

           When set to windows, an ACL is synthesized the same way Windows does it, only
           including permissions for the owner and NT Authority\SYSTEM.

           When set to everyone, an ACL is synthesized giving full permissions to everyone
           (S-1-1-0).

           The default for this option is everyone.

       nfs4acl_xattr:xattr_name = STRING
           This parameter configures the extended attribute name used to store the marshaled ACL.

           The default depends on the setting for nfs4acl_xattr:encoding.

       nfs4acl_xattr:nfs4_id_numeric = yes|no (default: no)
           This parameter tells the module how the NFS4 server encodes user and group identifiers
           on the network. With the default setting the module expects identifiers encoded as per
           the NFS4 RFC as user@domain.

           When set to yes, the module expects the identifiers as numeric string.

           The default for this optionsno.

       nfs4acl_xattr:validate_mode = yes|no
           This parameter configures whether the module enforces the POSIX mode is set to 0777
           for directories and 0666 for files. If this constrained is not met, the xattr with the
           ACL blob is discarded.

           The default depends on the setting for nfs4acl_xattr:encoding: when set to nfs this
           setting is disabled by default, otherwise it is enabled.


EXAMPLES
       A directory can be exported via Samba using this module as follows:

                 [samba_gpfs_share]
                 vfs objects = nfs4acl_xattr
                 path = /foo/bar


AUTHOR
       The original Samba software and related utilities were created by Andrew Tridgell. Samba
       is now developed by the Samba Team as an Open Source project similar to the way the Linux
       kernel is developed.