Samba 4 storage on the network
Permissions
Windows supports a variety of permissions that can be assigned in a granular way for shares and the folders and files they contain (Figure 2), whereas Linux only supports Read, Write, and Execute permissions for the owner, group, and "rest of the world" roles. From the perspective of a Windows admin, that is not proper rights management.
Connecting these two worlds therefore is not simple, but it's necessary. If Samba is not the only way to access the data (e.g., local logins or an NFS share on the server), you must make sure that the access rights you set cannot be worked around locally. In other words, it is not enough simply to save the permissions in a database; you also need to include the Linux filesystem.
Early versions of Samba converted the Windows permissions to Linux flags and ignored other access control settings. This solution is obviously unsatisfactory, so the next step is to support POSIX ACLs. This means that there is at least the possibility to assign permissions specifically to individual users (even if they are not the owner) and individual groups (Listing 6).
Listing 6
ACLs
This approach is a step forward, but unfortunately it is not yet sufficient: Windows supports not only read, write, execute, but also unusual permissions such as "delete subfolders and files, but not the folder itself."
These permissions cannot currently be mapped on the filesystem in Linux. Nevertheless, it is important to keep and implement them in the Windows world at least. To do this, Samba uses advanced file attributes, which allow arbitrary variables to be associated with a file in certain namespaces (Listing 7).
Listing 7
Extended Attributes
Extended attributes therefore offer the possibility of storing arbitrary metadata for a file. Samba (or more precisely, the vfs_acl_xattr
module) now leverages these capabilities to save permissions that cannot otherwise be mapped:
$ getfattr -n security.NTACL /tank/herbert/ # file: tank/herbert/ security.NTACL=0sAwADAAAAAgAEAAI...
A minor issue exists here, however: Not all filesystems support these mechanisms; in particular, ZFS on Linux does not support them. On Solaris and FreeBSD, the vfs_zfsacl
module provides a remedy, but it does not exist on Linux.
You can work around this with the vfs_acl_tdb
module, which stores the permissions in a database file. This module also provides an option for modifying the POSIX ACLs; thus, given a careful configuration, no problems are to be expected in the event of third-party access. However, this solution does not scale as well as the use of extended attributes, because database access can quickly become a bottleneck. Furthermore, snapshots, high availability, and failover are not so easy to implement. If you need features such as those offered by ZFS, you should consider using Btrfs.
Feature Matrix
The selection of the filesystem on the storage server has an additional effect on the functions that a file server can offer its users, beyond support for ACLs. Which of these factors is relevant in practice, of course, always depends on the corporation and the type of data stored. Other interesting functions include:
- Quotas: The filesystem lets you set size limits for directories for individual users and groups.
- Filesystem shrink: The filesystem can shrink as well as grow. If you miscalculated when setting up storage, this provides an easy fix without having to move the data.
- Compression: The filesystem supports compression of data before it's stored and can thus use the available space more effectively.
- Deduplication: The filesystem detects duplicate data blocks and stores them once only, and so use the available space more efficiently.
- Snapshots: The filesystem supports the ability to create subvolumes and snapshots. In this way, the entire directory tree or subtree can be frozen in a matter of seconds so that its state no longer changes.
- Redundancy: The filesystem itself offers the possibility of redundant data storage so that the failure of a hard disk can be compensated for in a way that is invisible to the user. There is no need to resort to RAID.
- Distributed: Distributed and cluster filesystems like OCFS2 or Ceph offer different ways to look at storage on multiple hosts as a single large storage area. Data is stored redundantly and distributed on these hosts to compensate for the failure of individual hosts in a way that is transparent to the user.
An overview of the back-end filesystems used for Samba in these contexts is provided in Table 1. Giving a general recommendation for or against an individual filesystem does not make sense, because it is driven by the intended use and the expected growth of data.
Table 1
Back-End Filesystems
Filesystem | ACLs | Quotas | Shrink | Compress | Dedup | Snapshots | Redundancy | Distributed | Max. Size |
---|---|---|---|---|---|---|---|---|---|
ext4 |
Yes |
Yes |
Yes |
No |
No |
No |
No |
No |
1EiB |
XFS |
Yes |
Yes |
No |
No |
No |
No |
No |
No |
16EiB |
ZFS on Linux |
No |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
16EiB |
Btrfs |
Yes |
Yes |
Yes |
Yes |
No |
Yes |
Yes |
No |
16EiB |
OCFS2 |
Yes |
Yes |
Yes |
No |
No |
Yes |
Yes |
Yes |
4PiB |
GlusterFS |
Yes |
Yes |
Yes |
Yes* |
Yes* |
No |
Yes |
Yes |
(No limit) |
Ceph |
Yes |
Yes |
Yes |
Yes* |
Yes* |
No |
Yes |
Yes |
(No limit) |
* Depending on the underlying filesystem. |
Infos
- Samba 4: https://www.samba.org/
- Debian Jessie: http://www.debian.org/releases/testing/
- openATTIC: http://www.open-attic.org/en/home.html
- Remote Server Administration Tools: http://www.microsoft.com/en-us/download/details.aspx?id=28972
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.