--- /dev/null
+
+ ACLs - Konfiguration and Infos vor Developpers
+ ==============================================
+
+ACL support for AFP is implemented with NFSv4 ACLs. Few filesystems and fewer OSes support
+these. At the time of implementation its only provided with ZFS on Solaris, Opensolaris and
+derived distributions.
+
+ Configuration
+ -------------
+
+In order to be able to support ACLs, the following things have to be configured:
+
+1. ZFS Volumes
+2. Authentication Domain
+3. Netatalk Volumes
+
+ 1. ZFS Volumes:
+
+ You MUST configure two ACL parameters for any volume you want to use with Netatalk:
+
+ aclinherit = passthrough
+ aclmode = passthrough
+
+ For an explanation of what these parameters mean and how to apply them see, your hosts
+ ZFS documentation (e.g. man zfs).
+
+ 2. Authentication Domain
+
+ Your server and the clients must be part of a security association where identity data
+ is coming from a common source. ACLs in Darwin are based on UUIDs and so is the ACL
+ specification in AFP 3.2. Therefor your source of identity data has to provide an
+ attribute for every user and group where a UUID is stored as a ASCII string.
+
+ In other words:
+ - you need an Open Directory Server or an LDAP server where you store UUIDs in some
+ attribute
+ - your clients must be configured to use this server
+ - your server should be configured to use this server via nsswitch and PAM. This
+ however is not a strict requirement:
+ if you create duplicates of every LDAP/OD user and group with identic attributes
+ (name, uid, gid) in your local data store (/etc/[passwd|group]) things will work
+
+ * as long as user/group names/ids in the filesystem are equal *
+ * to their counterparts in the LDAP/OD datastore *
+
+ - configure Netatalk via afp_ldap.conf so that Netatalk is able to retrieve the UUID
+ for users and groups via LDAP search queries
+
+ 3. Netatalk Volumes
+
+ Finally you can add "options:acls" to your volume defintions to add ACL support.
+ In case your volume basedir doesn't grant read permissions via mode (like: 0700 root:adm)
+ but only via ACLs, you MUST add the "nostat" option to the volume defintion.
+
+ Implemantation Notes
+ --------------------
+
+Some implementation details that are buried in the code are worthwhile to be documented.
+
+1. Darwin ACEs vs NFSv4 ACEs
+2. .AppleDouble VFS integration
+
+ 1. Darwin ACEs vs NFSv4 ACEs
+
+ Basically as far as implementing AFP support is concerned they're equivalent.
+ Subtleties arise at other places:
+
+ FPAccess
+
+ The AFP client frequently checks the (DARWIN_)ACE_DELETE_CHILD right. This is most
+ often not explicitly granted via an ACE. Therefor the client would get an no access
+ error. The client in turn then declares the object in question read only.
+ Thus we have to the check the mode for every directory and add ACE_DELETE_CHILD if
+ the requestor has write permissions.
+
+ FPGetFileDirParms
+
+ 10.5 does not only use unix mode and FPAccess for permission check, but also OS 9
+ access bits from FPGetFileDirParms. Thus we have to adjust the Access Rights bitmap
+ user bits by including any ACL rigths.
+
+ 2. .AppleDouble VFS integration
+
+ FPSetACL sets ACLs on files and dirs. Our implementation also sets the same ACL on the
+ .AppleDouble file for files and on the .AppleDouble dir itself for dirs.
+
+ Thereafter ACLs for created files is taken care of by ACLs own inheritance rules.
+
+ For dirs on the other hand whe have to make sure that any ACL the dir inherits is
+ copied verbatim to its .AppleDouble dir.
+
+
+ January 2009, Frank Lahm
\ No newline at end of file
+++ /dev/null
-
- ACLs - Konfiguration and Infos vor Developpers
- ==============================================
-
-ACL support for AFP is implemented with NFSv4 ACLs. Few filesystems and fewer OSes support
-these. At the time of implementation its only provided with ZFS on Solaris, Opensolaris and
-derived distributions.
-
- Configuration
- -------------
-
-In order to be able to support ACLs, the following things have to be configured:
-
-1. ZFS Volumes
-2. Authentication Domain
-3. Netatalk Volumes
-
- 1. ZFS Volumes:
-
- You MUST configure two ACL parameters for any volume you want to use with Netatalk:
-
- aclinherit = passthrough
- aclmode = passthrough
-
- For an explanation of what these parameters mean and how to apply them see, your hosts
- ZFS documentation (e.g. man zfs).
-
- 2. Authentication Domain
-
- Your server and the clients must be part of a security association where identity data
- is coming from a common source. ACLs in Darwin are based on UUIDs and so is the ACL
- specification in AFP 3.2. Therefor your source of identity data has to provide an
- attribute for every user and group where a UUID is stored as a ASCII string.
-
- In other words:
- - you need an Open Directory Server or an LDAP server where you store UUIDs in some
- attribute
- - your clients must be configured to use this server
- - your server should be configured to use this server via nsswitch and PAM. This
- however is not a strict requirement:
- if you create duplicates of every LDAP/OD user and group with identic attributes
- (name, uid, gid) in your local data store (/etc/[passwd|group]) things will work
-
- * as long as user/group names/ids in the filesystem are equal *
- * to their counterparts in the LDAP/OD datastore *
-
- - configure Netatalk via afp_ldap.conf so that Netatalk is able to retrieve the UUID
- for users and groups via LDAP search queries
-
- 3. Netatalk Volumes
-
- Finally you can add "options:acls" to your volume defintions to add ACL support.
- In case your volume basedir doesn't grant read permissions via mode (like: 0700 root:adm)
- but only via ACLs, you MUST add the "nostat" option to the volume defintion.
-
- Implemantation Notes
- --------------------
-
-Some implementation details that are buried in the code are worthwhile to be documented.
-
-1. Darwin ACEs vs NFSv4 ACEs
-2. .AppleDouble VFS integration
-
- 1. Darwin ACEs vs NFSv4 ACEs
-
- Basically as far as implementing AFP support is concerned they're equivalent.
- Subtleties arise at other places:
-
- FPAccess
-
- The AFP client frequently checks the (DARWIN_)ACE_DELETE_CHILD right. This is most
- often not explicitly granted via an ACE. Therefor the client would get an no access
- error. The client in turn then declares the object in question read only.
- Thus we have to the check the mode for every directory and add ACE_DELETE_CHILD if
- the requestor has write permissions.
-
- FPGetFileDirParms
-
- 10.5 does not only use unix mode and FPAccess for permission check, but also OS 9
- access bits from FPGetFileDirParms. Thus we have to adjust the Access Rights bitmap
- user bits by including any ACL rigths.
-
- 2. .AppleDouble VFS integration
-
- FPSetACL sets ACLs on files and dirs. Our implementation also sets the same ACL on the
- .AppleDouble file for files and on the .AppleDouble dir itself for dirs.
-
- Thereafter ACLs for created files is taken care of by ACLs own inheritance rules.
-
- For dirs on the other hand whe have to make sure that any ACL the dir inherits is
- copied verbatim to its .AppleDouble dir.
-
-
- January 2009, Frank Lahm
\ No newline at end of file