Permisions

[Alexander Bokovoy]

On Fri, Aug 31, 2001 at 09:52:42AM -0500, Justin L. Boss wrote:
> I have a question.
> 
> The limitation of Samba seem to me to be because of the differences of UNIX
> and NT, it is like trying to get a round block to fit in to a square hole
> when trying to get Samba and UNIX user, group, and permissions to work
> together. For example you have to keep two password files and you have to
> add UNIX user for all Samba users which makes it necessary for a lot of
> complicated scripts for all the different flavors of UNIX, not to mention
> the confusion it can cause when the UNIX permissions are different then that
> of your write list. Also UNIX and NT permissions are totally different,
> limiting Samba in its security abilities and features, it also slows down
> its development. It appears that a lot of time and coding have been spent
> trying to get UNIX and NT to be compatible with each other. My question is
> why not separate Samba from UNIX. What I mean is instead of Samba using the
> UNIX user to create files. Remove all UNIX account and just have Samba us
> the root account to create all files and directories ( root rwx --- ---),
> then Samba would take care of security by also create a small file with
> "acl%" (hard coded in Samba to not be visible and accessible in shares) in
> front of it like "acl%document.doc" ("document.doc" being the real name of
> the file). That acl file would contain the Access control list information.
> Then Samba would look at that acl file before granting access to the user.
> You would no longer need a UNIX' users or groups. There would also need to
> be a smb.group. Directories would be the same just a different symbol like
> "acl@" or whatever. There are so many problems that this would salve, no
> write list, no admin user, and so many others. The smb.conf file would be
> just for configuration. Opining the door for the Samba team to work on more
> important things. I don't know, maybe all these little acl files will take
> up to much space, or maybe they can just be created and acl for file that
> are assigned special permission and a default acl will apply to all other
> files. I don't know, this is probably a stupid idea but I have to ask. Don't
> run me to hard.
[skip]
Please read documentation from Samba 2.2 series about Winbind and ACLs
support. Samba software already have support for managing NT ACLs on Unix
as well as for allowing to use NT users/groups as 'native' Unix
users/groups without the need to synchronize accounts.

-- 
/ Alexander Bokovoy
$ cat /proc/identity >~/.signature
  `Senior software developer and analyst for SaM-Solutions Ltd.`
---
Most burning issues generate far more heat than light.