GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
VFS_FREEBSD(8) System Administration tools VFS_FREEBSD(8)

vfs_freebsd - FreeBSD-specific VFS functions

vfs objects = freebsd

This VFS module is part of the samba(7) suite.

The vfs_freebsd module implements some of the FreeBSD-specific VFS functions.

This module is stackable.

freebsd:extattr mode=[legacy|compat|secure]
This parameter defines how the emulation of the Linux attr(5) extended attributes is performed through the FreeBSD native extattr(9) system calls.

Currently the security, system, trusted and user extended attribute(xattr) classes are defined in Linux. Contrary FreeBSD has only USER and SYSTEM extended attribute(extattr) namespaces, so mapping of one set into another isn't straightforward and can be done in different ways.

Historically the Samba(7) built-in xattr mapping implementation simply converted system and user xattr into corresponding SYSTEM and USER extattr namespaces, dropping the class prefix name with the separating dot and using attribute name only within the mapped namespace. It also rejected any other xattr classes, like security and trusted as invalid. Such behavior in particular broke AD provisioning on UFS2 file systems as essential security.NTACL xattr was rejected as invalid.

This module tries to address this problem and provide secure, where it's possible, way to map Linux xattr into FreeBSD's extattr.

When mode is set to the legacy (default) then modified version of built-in mapping is used, where system xattr is mapped into SYSTEM namespace, while secure, trusted and user xattr are all mapped into the USER namespace, dropping class prefixes and mix them all together. This is the way how Samba FreeBSD ports were patched up to the 4.9 version and that created multiple potential security issues. This mode is aimed for the compatibility with the legacy installations only and should be avoided in new setups.

The compat mode is mostly designed for the jailed environments, where it's not possible to write extattrs into the secure SYSTEM namespace, so all four classes are mapped into the USER namespace. To preserve information about origin of the extended attribute it is stored together with the class preffix in the class.attribute format.

The secure mode is meant for storing extended attributes in a secure manner, so that security, system and trusted are stored in the SYSTEM namespace, which can be modified only by root.

Table 1. Attributes mapping
built-in legacy compat/jail secure
user USER; attribute USER; attribute USER; user.attribute USER; user.attribute
system SYSTEM; attribute SYSTEM; attribute USER; system.attribute SYSTEM; system.attribute
trusted FAIL USER; attribute USER; trusted.attribute SYSTEM; trusted.attribute
security FAIL USER; attribute USER; security.attribute SYSTEM; security.attribute

Use secure method of setting extended attributes on the share: 

	[sysvol]
	vfs objects = freebsd
	freebsd:extattr mode = secure

This man page is part of version 4.10.5 of the Samba suite.

The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

This module was written by Timur I. Bakeyev

06/24/2019 Samba 4.10.5
Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.