NT file-permissions

Allan Bjorklund allan at umich.edu
Tue Jul 20 22:01:11 GMT 1999


--On Wednesday, July 21, 1999, 6:09 AM +1000 Oliver Raupach
<oliver at mm.gop.de> wrote:

> "Cole, Timothy D." wrote:
>> 
>> Hrm; are you talking about "faking" full ACLs in Samba itself (probably
>> using metadata stored in files someplace)
> 
> Yes, that's exactly what I need. 
> 
> I need a "special share" which supports the NT file permissions. So, I 
> can add quick some users for read or write access for one single file 
> or directory without building UNIX-groups....
> 
>> I'm don't think the former is a good idea:  it causes the burden of
>> access control to fall on Samba, rather than the OS.  Among other
>> things, that would allow (indeed, require, if the underlying OS did not
>> support ACLs) the access granted by Samba and the OS to get out of sync.
> 
> Yes, thats right. Samba has to do the whole access control stuff.

  But then you get inconsistent behavior for the same user between
your UNIX/Mac/Whatever logins and NT.

  I don't like that and would not want to see it become built in.

> Probably there
> would be a special share like this:
> 
> [foo]
>     comment = Foo Stuff
>     path = /samba_fs/foo
>     full NT acl = yes
>     acl file = /samba_fs/acl/foo_acl.dbm
>     force user = foo_user
>     force group = foo_group
> 
> 
> "full NT acl" switch on the NT ACL support and "acl file = ...." is a
> database
> holding the NT ACL information. This database can only changed from NT
> with 
> NT exporer....

  And this will create a database replication problem for
sites (like ours) that use multiple servers to export the same
file system (AFS).

  I also don't like that and would not want to see it built in.


  An abstracted ACL interface that allows an admin to specify ACL
modules on a per share basis to take advantage of file system
specifics would be very good. And if you wanted to write a module
that let you provide an ACL database like the one proposed above, 
you can.

  Also the abstracted interface should not tie itself to the UNIX
owner/group/other pattern.  I've looked at extending the existing
ACL code to handle AFS ACLs, but o/g/o triad built into the
structure of that code is making it a messy job.

--Allan

  ===================================================================
  Allan Bjorklund                  |                  allan at umich.edu
  Systems Research Programmer      |           University of Michigan
  Research Systems UNIX Group      |               535 W. William St.
  Information Technology Division  |              Ann Arbor, MI 48103
  1-(734)-763-9391                 |                           U.S.A.
  ===================================================================


More information about the samba-technical mailing list