NT ACL / Security descriptor checking function

Cole, Timothy D. timothy_d_cole at md.northgrum.com
Tue Feb 15 16:28:32 GMT 2000

> -----Original Message-----
> From:	Michael Stockman [SMTP:pgmtekn-micke at algonet.se]
> Sent:	Thursday, February 10, 2000 20:27
> To:	Multiple recipients of list SAMBA-TECHNICAL
> Subject:	Re: NT ACL / Security descriptor checking function
> Is RID really the way to go??? Access checks in samba has so far been
> POSIX, RID would break this (and create vast amounts of headache when
> samba can properly understand the difference between local accounts
> and remote accounts, unless RID means SID).
> I think we should create our ACL implementation aiming on (future?)
> file support too (one ACL support for all ACLs) and thus have and
> internal POSIX based ACL which can map both UNIX ACLs and NT ACLs.
> Yes, I'm aware that doing it properly will take some time, but if you
> count two days for a hack and two years for someone to get round to a
> proper implementation that meets all requirements, which is the
> longest?
	Honestly, I think it's best to use NT ACLs for NT-specific
interfaces (most of TNG, the rpc stuff certainly, NT setacl SMBs), and then
have a generic ACL facility (abstracting native ACLs) for non-NT specific
areas.  Otherwise, you end up translating ACLs needlessly, and it's lossy,

	The generic ACL facility (plus NT mapping) is something I've been
doing work on here, I just need to get an OK to release it.  The SID<->posix
id mapping stuff I've been doing on my own time.

	The one big gap remaining is what luke needs here -- APIs to check
and mainipulate NT ACLs.

More information about the samba-technical mailing list