+++ /dev/null
-
- ACLs - Konfiguration and Infos vor Developpers
- ==============================================
-
-ACL support for AFP is implemented for Solaris/ZFS/NFSv4 ACLs and POSIX 1e ACLs.
-
- Configuration
- -------------
-
-In order to be able to support ACLs, the following things have to be configured:
-
-1. For Solaris/ZFS: ZFS Volumes
-2. Authentication Domain
-3. Netatalk Volumes
-
- 1. ZFS Volumes:
-
- You MUST configure two ACL parameters for any volume you want to use with Netatalk:
-
- aclinherit = passthrough
- aclmode = passthrough
-
- For an explanation of what these parameters mean and how to apply them see, your hosts
- ZFS documentation (e.g. man zfs).
-
- 2. Authentication Domain
-
- Your server and the clients must be part of a security association where identity data
- is coming from a common source. ACLs in Darwin are based on UUIDs and so is the ACL
- specification in AFP 3.2. Therefor your source of identity data has to provide an
- attribute for every user and group where a UUID is stored as a ASCII string.
-
- In other words:
- - you need an Open Directory Server or an LDAP server where you store UUIDs in some
- attribute
- - your clients must be configured to use this server
- - your server should be configured to use this server via nsswitch and PAM
- - configure Netatalk via afp_ldap.conf so that Netatalk is able to retrieve the UUID
- for users and groups via LDAP search queries
-
- ALL USERS AND GROUPS USED ON VOLUMES WHERE ACLS ARE USED SHOULD THEN COME FROM
- THE SHARED AUTHENTICATION DOMAIN !
-
- 3. Netatalk Volumes
-
- Finally you can add "options:acls" to your volume defintions to add ACL support.
- In case your volume basedir doesn't grant read permissions via mode (like: 0700 root:adm)
- but only via ACLs, you MUST add the "nostat" option to the volume defintion.
-
- Implemantation Notes
- --------------------
-
-Some implementation details that are buried in the code are worthwhile to be documented.
-
-1. Darwin ACEs vs NFSv4 ACEs
-2. .AppleDouble VFS integration
-
- 1. Darwin ACEs vs NFSv4 ACEs
-
- Basically as far as implementing AFP support is concerned they're equivalent.
- Subtleties arise at other places:
-
- * FPAccess:
- The (10.5) AFP client frequently checks the (DARWIN_)ACE_DELETE_CHILD right. This is most
- often not explicitly granted via an ACE. Therefor the client would get an no access
- error. The client in turn then declares the object in question read only.
- Thus we have to the check the mode for every directory and add ACE_DELETE_CHILD if
- the requestor has write permissions.
-
- * FPGetFileDirParms:
- 10.5 does not only use unix mode and FPAccess for permission check, but also OS 9
- access bits from FPGetFileDirParms. Thus we have to adjust the Access Rights bitmap
- user bits by including any ACL rigths.
-
- 2. .AppleDouble VFS integration
-
- FPSetACL sets ACLs on files and dirs. Our implementation also sets the same ACL on the
- .AppleDouble file for files and on the .AppleDouble dir itself for dirs.
-
- Thereafter ACLs for created files is taken care of by ACLs own inheritance rules.
-
- For dirs on the other hand whe have to make sure that any ACL the dir inherits is
- copied verbatim to its .AppleDouble dir.