* FIX: dbd: Adding a file with the CNID from it's adouble file did

[netatalk.git] / doc / README.ACLs

                 ACLs - Konfiguration and Infos vor Developpers
                 ==============================================

ACL support for AFP is implemented with NFSv4 ACLs. Few filesystems and fewer OSes support
these. At the time of implementation its only provided with ZFS on Solaris, Opensolaris and
derived distributions.

  Configuration
  -------------

In order to be able to support ACLs, the following things have to be configured:

1. ZFS Volumes
2. Authentication Domain
3. Netatalk Volumes

  1. ZFS Volumes:

     You MUST configure two ACL parameters for any volume you want to use with Netatalk:

        aclinherit = passthrough
        aclmode = passthrough

     For an explanation of what these parameters mean and how to apply them see, your hosts
     ZFS documentation (e.g. man zfs).

  2. Authentication Domain

     Your server and the clients must be part of a security association where identity data
     is coming from a common source. ACLs in Darwin are based on UUIDs and so is the ACL
     specification in AFP 3.2. Therefor your source of identity data has to provide an
     attribute for every user and group where a UUID is stored as a ASCII string.

     In other words:
      - you need an Open Directory Server or an LDAP server where you store UUIDs in some
        attribute
      - your clients must be configured to use this server 
      - your server should be configured to use this server via nsswitch and PAM. This
        however is not a strict requirement: 
        if you create duplicates of every LDAP/OD user and group with identic attributes
        (name, uid, gid) in your local data store (/etc/[passwd|group]) things will work

              *  as long as user/group names/ids in the filesystem are equal  *
              *         to their counterparts in the LDAP/OD datastore        *

      - configure Netatalk via afp_ldap.conf so that Netatalk is able to retrieve the UUID
        for users and groups via LDAP search queries

  3. Netatalk Volumes

     Finally you can add "options:acls" to your volume defintions to add ACL support.
     In case your volume basedir doesn't grant read permissions via mode (like: 0700 root:adm)
     but only via ACLs, you MUST add the "nostat" option to the volume defintion.

  Implemantation Notes
  --------------------

Some implementation details that are buried in the code are worthwhile to be documented.

1. Darwin ACEs vs NFSv4 ACEs
2. .AppleDouble VFS integration

  1. Darwin ACEs vs NFSv4 ACEs

     Basically as far as implementing AFP support is concerned they're equivalent.
     Subtleties arise at other places:

     FPAccess

        The AFP client frequently checks the (DARWIN_)ACE_DELETE_CHILD right. This is most
        often not explicitly granted via an ACE. Therefor the client would get an no access
        error. The client in turn then declares the object in question read only.
        Thus we have to the check the mode for every directory and add ACE_DELETE_CHILD if
        the requestor has write permissions.

     FPGetFileDirParms

        10.5 does not only use unix mode and FPAccess for permission check, but also OS 9
        access bits from FPGetFileDirParms. Thus we have to adjust the Access Rights bitmap
        user bits by including any ACL rigths.

  2. .AppleDouble VFS integration

     FPSetACL sets ACLs on files and dirs. Our implementation also sets the same ACL on the
     .AppleDouble file for files and on the .AppleDouble dir itself for dirs.

     Thereafter ACLs for created files is taken care of by ACLs own inheritance rules.

     For dirs on the other hand whe have to make sure that any ACL the dir inherits is
     copied verbatim to its .AppleDouble dir. 


                                                                    January 2009, Frank Lahm