+
+ ACLs - Konfiguration and Infos vor Developpers
+ ==============================================
+
+ACL support for AFP is implemented with NFSv4 ACLs. Few filesystems and fewer OSes support
+these. At the time of implementation its only provided with ZFS on Solaris, Opensolaris and
+derived distributions.
+
+ Configuration
+ -------------
+
+In order to be able to support ACLs, the following things have to be configured:
+
+1. ZFS Volumes
+2. Authentication Domain
+3. Netatalk Volumes
+
+ 1. ZFS Volumes:
+
+ You MUST configure two ACL parameters for any volume you want to use with Netatalk:
+
+ aclinherit = passthrough
+ aclmode = passthrough
+
+ For an explanation of what these parameters mean and how to apply them see, your hosts
+ ZFS documentation (e.g. man zfs).
+
+ 2. Authentication Domain
+
+ Your server and the clients must be part of a security association where identity data
+ is coming from a common source. ACLs in Darwin are based on UUIDs and so is the ACL
+ specification in AFP 3.2. Therefor your source of identity data has to provide an
+ attribute for every user and group where a UUID is stored as a ASCII string.
+
+ In other words:
+ - you need an Open Directory Server or an LDAP server where you store UUIDs in some
+ attribute
+ - your clients must be configured to use this server
+ - your server should be configured to use this server via nsswitch and PAM. This
+ however is not a strict requirement:
+ if you create duplicates of every LDAP/OD user and group with identic attributes
+ (name, uid, gid) in your local data store (/etc/[passwd|group]) things will work
+
+ * as long as user/group names/ids in the filesystem are equal *
+ * to their counterparts in the LDAP/OD datastore *
+
+ - configure Netatalk via afp_ldap.conf so that Netatalk is able to retrieve the UUID
+ for users and groups via LDAP search queries
+
+ 3. Netatalk Volumes
+
+ Finally you can add "options:acls" to your volume defintions to add ACL support.
+ In case your volume basedir doesn't grant read permissions via mode (like: 0700 root:adm)
+ but only via ACLs, you MUST add the "nostat" option to the volume defintion.
+
+ Implemantation Notes
+ --------------------
+
+Some implementation details that are buried in the code are worthwhile to be documented.
+
+1. Darwin ACEs vs NFSv4 ACEs
+2. .AppleDouble VFS integration
+
+ 1. Darwin ACEs vs NFSv4 ACEs
+
+ Basically as far as implementing AFP support is concerned they're equivalent.
+ Subtleties arise at other places:
+
+ FPAccess
+
+ The AFP client frequently checks the (DARWIN_)ACE_DELETE_CHILD right. This is most
+ often not explicitly granted via an ACE. Therefor the client would get an no access
+ error. The client in turn then declares the object in question read only.
+ Thus we have to the check the mode for every directory and add ACE_DELETE_CHILD if
+ the requestor has write permissions.
+
+ FPGetFileDirParms
+
+ 10.5 does not only use unix mode and FPAccess for permission check, but also OS 9
+ access bits from FPGetFileDirParms. Thus we have to adjust the Access Rights bitmap
+ user bits by including any ACL rigths.
+
+ 2. .AppleDouble VFS integration
+
+ FPSetACL sets ACLs on files and dirs. Our implementation also sets the same ACL on the
+ .AppleDouble file for files and on the .AppleDouble dir itself for dirs.
+
+ Thereafter ACLs for created files is taken care of by ACLs own inheritance rules.
+
+ For dirs on the other hand whe have to make sure that any ACL the dir inherits is
+ copied verbatim to its .AppleDouble dir.
+
+
+ January 2009, Frank Lahm
\ No newline at end of file