allan at umich.edu
Tue Jul 20 22:01:11 GMT 1999
--On Wednesday, July 21, 1999, 6:09 AM +1000 Oliver Raupach
<oliver at mm.gop.de> wrote:
> "Cole, Timothy D." wrote:
>> Hrm; are you talking about "faking" full ACLs in Samba itself (probably
>> using metadata stored in files someplace)
> Yes, that's exactly what I need.
> I need a "special share" which supports the NT file permissions. So, I
> can add quick some users for read or write access for one single file
> or directory without building UNIX-groups....
>> I'm don't think the former is a good idea: it causes the burden of
>> access control to fall on Samba, rather than the OS. Among other
>> things, that would allow (indeed, require, if the underlying OS did not
>> support ACLs) the access granted by Samba and the OS to get out of sync.
> Yes, thats right. Samba has to do the whole access control stuff.
But then you get inconsistent behavior for the same user between
your UNIX/Mac/Whatever logins and NT.
I don't like that and would not want to see it become built in.
> Probably there
> would be a special share like this:
> comment = Foo Stuff
> path = /samba_fs/foo
> full NT acl = yes
> acl file = /samba_fs/acl/foo_acl.dbm
> force user = foo_user
> force group = foo_group
> "full NT acl" switch on the NT ACL support and "acl file = ...." is a
> holding the NT ACL information. This database can only changed from NT
> NT exporer....
And this will create a database replication problem for
sites (like ours) that use multiple servers to export the same
file system (AFS).
I also don't like that and would not want to see it built in.
An abstracted ACL interface that allows an admin to specify ACL
modules on a per share basis to take advantage of file system
specifics would be very good. And if you wanted to write a module
that let you provide an ACL database like the one proposed above,
Also the abstracted interface should not tie itself to the UNIX
owner/group/other pattern. I've looked at extending the existing
ACL code to handle AFS ACLs, but o/g/o triad built into the
structure of that code is making it a messy job.
Allan Bjorklund | allan at umich.edu
Systems Research Programmer | University of Michigan
Research Systems UNIX Group | 535 W. William St.
Information Technology Division | Ann Arbor, MI 48103
1-(734)-763-9391 | U.S.A.
More information about the samba-technical