generic ACL interface (RFC)
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Wed Jul 28 20:51:06 GMT 1999
On Wed, 28 Jul 1999, Cole, Timothy D. wrote:
> > so, if the HP/UX ACL implementation supports something nice (which someone
> > mentioned that it did, which posix does not) then we can map it to an NT
> > ACE or whatever.
> >
> Not always. Some HP ACEs simply cannot be mapped into NT ACEs at
> all -- among others, those that contain both a user and a group
> specification.
in the security descriptor, in individual ACE entries? NT does that, too.
SIDs can represent anything: users, groups, aliases, in any domain.
whether you can _resolve_ that sid to something useful is another matter
:-) :-) e.g if you break a trusted domain relationship or reinstall a
workstation (and thereby destroy / replace its workstation sid).
in other words, a security descriptor can say "this group has read/write
permissions; this user has full control; the built-in power user's group
are allowed full control; administrator of workstation ABC is denied all
access; etc".
is that what you mean?
More information about the samba-technical
mailing list