Re: [Samba] samba-ad linux clients random access denied to network share

["Björn JACKE" <bjacke@SerNet.DE>]

Hello Steve and other cifs developers,

On 2022-04-07 at 16:25 -0500 Steve French via samba sent off:
> If you have particular hot bugs for cifs.ko that you need fixed - please
> let me know.

back in 2020 we've added the cifs mailing list as qa contact in bugzilla, so
that bugzilla bugs get more visible to the developers.

At the same point I also went through all the open bug reports of cifs vfs,
which had partly been very old. I also closed a bunch of them as they had been
fixed a while after they were reported there - but not because they were
reported in bugzilla obviously. I was hoping to improve that situation with bug
reports getting not enough attention my adding the cifs mailinglist as qa
contact, this was my motivation.

Just pointing out those bugs that I myself reported in bugzilla.samba.org in
2020, all stayed uncommented till today; except for the "better error message"
bug all of them are important for enterprise customers, this is also where they
popped up:

14398  	cifs vfs should pause if krb5 ticket is not valid 
14440   creator owner (S-1-3-0) ACE not honored 
14506   cifs mount with missing krb5 key should give better error message 
14507   cifs ACL exec permission granted where it should be denied 

And last but not least a big topic:

14499   expose NT ACLs via system.nfs4_acl EA 

This idea popped up in the discussion of the 2020 SambaXP discussion after your
talk. Having a standardized permission management tool like the nfs4-acl-tools
is really something that is important.

Also the fact that Linux still has no standardized ACL implementation (NFS4 ACL
are the only standardized ones) in the kernel is preventing many enterprise
customers to use Linux on client machines. Without that, permission management
is such a pain that they usually give up any client installation efforts sooner
or later.  I think the cifs vfs developers would have the power to convince the
responsible kernel developers to add this to the kernel.

I can say from my experience at various customer sites very clearly that cifs
vfs will *not* be accepted widely in the enterprise world, without generic NFS4
ACLs implemented in the kernel alongside.


> SMB3.1.1 is simpler in some ways than NFS (no SunRPC to deal with) and
> should be easier to fix bugs in many cases.

maybe it is simpler, but for the above mentioned reasons, SMB on the Linux
client side is no option for most enterprise environments. They prefer NFS and
I understand why. I really wish this would change, this is why I write these
lines so bluntly.

Björn
-- 
SerNet GmbH - Bahnhofsallee 1b - 37081 Göttingen
phone: +495513700000  mailto:contact@sernet.com
AG Göttingen: HR-B 2816 - https://www.sernet.com
Manag. Directors Johannes Loxen and Reinhild Jung
data privacy policy https://www.sernet.de/privacy

Samba eXPerience 2022 - online edition!
from May 31st to June 2nd, 2022 at Zoom
sponsored by Google, Microsoft & SerNet
more information at https://sambaXP.org