generic ACL interface (RFC)

Luke Kenneth Casson Leighton lkcl at
Wed Jul 28 20:51:06 GMT 1999

On Wed, 28 Jul 1999, Cole, Timothy D. wrote:

> > so, if the HP/UX ACL implementation supports something nice (which someone
> > mentioned that it did, which posix does not) then we can map it to an NT
> > ACE or whatever.
> > 
> 	Not always.  Some HP ACEs simply cannot be mapped into NT ACEs at
> all -- among others, those that contain both a user and a group
> specification.

in the security descriptor, in individual ACE entries?  NT does that, too.
SIDs can represent anything: users, groups, aliases, in any domain.
whether you can _resolve_ that sid to something useful is another matter
:-) :-) e.g if you break a trusted domain relationship or reinstall a
workstation (and thereby destroy / replace its workstation sid).

in other words, a security descriptor can say "this group has read/write
permissions; this user has full control; the built-in power user's group
are allowed full control; administrator of workstation ABC is denied all
access; etc".

is that what you mean?

More information about the samba-technical mailing list