Michael Stockman pgmtekn-micke at
Fri Feb 25 22:56:49 GMT 2000


> > > (Didn't NT also have this unused Alarm-ACL-thingy? Okay,
> > > it's not realy there, so no need to worry.)
> >
> > Yes, NT has it (and doesn't use it). We have it and doesn't use it
> > well as we have and doesn't use audit. When someone think of a
> > way to implement it (for example a DEBUG statement for audit) then
> > have and use it.
> Sounds interesting, but I think, we shouldn't do this
> _now_.

I'm not, I'm just designing in the possibility.

> So when you create NT-SDs back from this, you've got to
> sort the dacl-entries into NT-dacl and NT-sacl.

Maybe. Or we'll just leave them where they are and let the remote
system handle it as well as it can (NT should only ignore the entries,
samba would probably understand them).

> So sacl is more like "admin-acl" ?

That is my perception of how NT does it, although the admin has less

> Two things:
> What does happen to the ACEs in this acl, when you map to
> NT-SDs?
> (In fact, you created something, that most ACLs don't
>  have... so we now have a superset)

Really, I'm reluctant to restricting what info should be evaluated in
an ACL, so I think that if the info is there, it should be evaluated.

> .. I still have to think, wether I like it, or not... Most
> admins (not the good ones) have problems with those things
> and end up doing bad things... and I like the user having
> full control of the acl.

Tell me 'bout it. But teaching people their job is not my job. And
someone with root access can do it all anyway.

> > There is, both owner and primary group. I don't know if the
> > ability to change the dacl is so written in stone that we should
> > it in the code, or if it should be enabled by any of the ACLs.
> I think, it is quite "written in stone". But if you like,
> you could all it do a default racl.

I don't care. Do you want control of this or not, your call? I'm
leaning at it to be written in stone, but it doesn't really affect the

Best regards
  Michael Stockman
  pgmtekn-micke at

More information about the samba-technical mailing list