ACL / SD support

Michael Stockman pgmtekn-micke at
Wed Feb 16 19:35:58 GMT 2000


> if you have posix acls, you're going to have to write _some_ sort of
> conversion, the conversion is unavoidable.

Actually, you are going to need some conversions regardless of posix
or nt SDs/ACLs. Can you prove that there is more conversions needed
with posix ACLs than NT ACLs and (if so) that the extra processing
does not outweigh the advantage that the ACLs are available to the
unix admin outside of samba?

> if you have HPUX acls, you have to write _some_ sort of conversion,
> conversion is unavoidable.

And if you have Solaris ACLs and if you have Linux ACLs and if you
have NT ACLs. I have said this all along.

> what i don't get is why you want to convert from security
descriptors to a
> new, intermediate, internal API that has to support both a maximum
_and_ a
> minimum of the functionality provided _by_ security descriptors, it
> doesn't buy you anything.
> does it?

Yes, you don't need to create one samba for HPUX, one for Solaris, one
for Linux, and what you propose to do for those with several kinds of
file systems on the same computer, I don't know. You cannot convince
me that this would be better and/or easier.

Second, I don't get why you want an SD implementation that is exactly
equal to the NT implementation. Our needs are different from NT's, and
thus our implementation will be. Just read John E. Malmberg's
excellent postings in the matter.

Third, if you say that you don't get the issues, why won't you believe
what I tell you. It is not progressive to three times in a row say
that you don't get it, and it is not progressive to not finish
arguments. You could at least confirm if you have changed opinion in a
private mail.

> > Hello,
> >
> > > > The intent is to make an API to uniformly work with SDs in
> > > > regardless of the format it is saved in. I think it would be
> > if
> > > > you wouldn't have to write one samba implementation for each
> > >
> > > that's unavlidable, michael, which is why i don't understand why
> > you're
> > > going with this alternative impl. to SDs.
> >
> > Why is it unavoidable? In fact, it is impossible to do it any
> > way. If you can write a samba that works on one system and one
> > works on another, you could write one that works on both.
> >
> > > > If the target system support SIDs, what type would uid_t be?
> > would
> > > > we get the SID from the file system? My guess is that a SID
> > filesystem
> > > > have a SURS table and only return uid_t/gid_t to us. In other
> > cases,
> > >
> > > the surs table (controlled by sursswitch.conf) is independent of
> > > filesystem.  it has to be.
> >
> > Which doesn't answer my question, what do we get from the file
> >
> > > > I believe that as long as you don't want to send the ACL to
> > client
> > > > (use it for access checking) no conversion at all will be
> > necessary. I
> > > > think you both obtain uid and all gids in the session setup,
> > hope
> > > > you hang on to them. If so, then no conversion is needed there
> > either.
> > >
> > > and the NET_USER_INFO3 structure, which contains NT user SID, NT
> > primary
> > > group SID and user's NT groups.
> >
> > Are you saying that you are disposing the unix uid and gids? I
> > that each NT user have got a uid. I thought that uid was used to
> > resolve the gids and that all of the uid and gids were resolved to
> > those SIDs you say you have. If you don't save them, maybe you
> > If this is wrong, I'll make an argument for the actual case.
> >
> > > > I see hell for you, Luke, as NT is using the same access bits
> > > > different meaning depending on which object the ACL is
> > >
> > > yes.  however, they are consistent.
> >
> > Would that be in difference to ... what? I don't think I've said
> > anything that would make my SDs/ACLs inconsistent.
> >
> > > you do realise that i can't use your code in, say, samrd,
> > and
> > > maybe winregd, don't you?
> >
> > No.
> >
> > > you do realise i'm still going to need a full, native SD access
> > checking
> > > routine like the one i described last week?
> >
> > No, I don't see why you couldn't use a POSIX based SD checking
> > to check the POSIX user's access to a resource, which is
equivalent to
> > the that of the mapped NT user. I tought we agreed that uid/gid
> > SID is a 1 to 1 mapping. Which is used is thus unimportant, except
> > philosophical reasons.
> >
> > As far as I can see, at this point you are claiming that what I'm
> > doing can't be used, and I can see no reason. I'm afraid I'm too
> > offensive in my argument, but I'm trying to make sure I'm getting
> > points and that you get my points as I mean them.

Could you look through the above text and see if there is anything
left to add or clearify?

On a side note to Timothy D. Cole's mail, I don't think a few
conversions is an enough reason to not just have one ACL/SD system in
samba, but two. I don't know what his ACL/SD system supports (he
didn't say), but if it's done, please use it if you want to (can?).
Jus tell me if you do, I'm getting __really__ tired of writing for
samba (not because I don't like coding).

Best regards
  Michael Stockman
  pgmtekn-micke at

More information about the samba-technical mailing list