ACL database

Jeremy Allison jeremy at
Tue Mar 27 01:05:47 GMT 2001

Jason Haar wrote:
> Can someone comment on the difference between POSIX ACLs support and NT
> ACLs? I mean, I'm hearing VERY LOUDLY here that emulating "full" NT ACLs under
> Samba will be VERY expensive and complex.

POSIX ACLs are sane :-). NT ones aren't :-). It's 
actually quite complex, I'm in the process of writing
a white paper to explain how the mapping works and
what it will and won't do.

The main difference is that NT ACLs are order dependent,
POSIX ones aren't.

Under NT, an ACL of

DENY jason (all)
ALLOW everyone (all)

is *completely* different from

ALLOW everyone (all)
DENY jason (all)

Under POSIX they are the same, and mean what
you'd expect (ie. user jason has no access,
everyone else does). Under NT, the first ACL
will be the same as the POSIX one, in the second
one the DENY will be completely ignored.
> What is missed out on by using POSIX ACLs?

POSIX ACLs only have rwx bits, not all the complex
bits NT ACLs have. But very few people understand
or use the complex bits in NT ACLs, so you won't
be losing much.


Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list