NT file-permissions
Allan Bjorklund
allan at umich.edu
Thu Jul 22 14:26:22 GMT 1999
--On Wednesday, July 21, 1999, 5:40 PM +1000 Robert Frank
<frank at ifi.unibas.ch> wrote:
> > --On Wednesday, July 21, 1999, 6:09 AM +1000 Oliver Raupach
>> <oliver at mm.gop.de> wrote:
>>
>> > "Cole, Timothy D." wrote:
>> >>
>> >> Hrm; are you talking about "faking" full ACLs in Samba itself
>> >> (probably using metadata stored in files someplace)
>> >
>> > Yes, that's exactly what I need.
>> >
>> > I need a "special share" which supports the NT file permissions. So, I
>> > can add quick some users for read or write access for one single file
>> > or directory without building UNIX-groups....
>> >
>> >> I'm don't think the former is a good idea: it causes the burden of
>> >> access control to fall on Samba, rather than the OS. Among other
>> >> things, that would allow (indeed, require, if the underlying OS did
>> >> not support ACLs) the access granted by Samba and the OS to get out of
>> >> sync.
>> >
>> > Yes, thats right. Samba has to do the whole access control stuff.
>>
>> But then you get inconsistent behavior for the same user between
>> your UNIX/Mac/Whatever logins and NT.
>
> Unless you restrict the entire (sub)tree to a unique user, restrict all
> access to that user and tell samba to access that (sub)tree as that user
> only. In this way you shut out all but the root unix users ... And if you
> really need unix access, well, use the samba libraries to build the unix
> tools ... (should be no problem with linux: a new filesystem library?)
But all the world is not Linux and it seems really silly to add
another layer to basically undo the action of a previous layer.
Building a specific scheme like this into SAMBA is just not good.
Doing dynamically loaded libraries that can be loaded on a per share
basis to handle special permission schemes is. It gives everyone the
flexibilty to do what they need.
--Allan
===================================================================
Allan Bjorklund | allan at umich.edu
Systems Research Programmer | University of Michigan
Research Systems UNIX Group | 535 W. William St.
Information Technology Division | Ann Arbor, MI 48103
1-(734)-763-9391 | U.S.A.
===================================================================
More information about the samba-technical
mailing list