ACL database

Richard Sharpe sharpe at
Tue Mar 27 03:35:29 GMT 2001

At 08:05 PM 3/26/01 -0500, Jeremy Allison wrote:
>Jason Haar wrote:
>> Can someone comment on the difference between POSIX ACLs support and NT
>> ACLs? I mean, I'm hearing VERY LOUDLY here that emulating "full" NT ACLs
>> Samba will be VERY expensive and complex.
>POSIX ACLs are sane :-). NT ones aren't :-). It's 
>actually quite complex, I'm in the process of writing
>a white paper to explain how the mapping works and
>what it will and won't do.
>The main difference is that NT ACLs are order dependent,
>POSIX ones aren't.
>Under NT, an ACL of
>DENY jason (all)
>ALLOW everyone (all)
>is *completely* different from
>ALLOW everyone (all)
>DENY jason (all)

Hmmm, I think that VMS did this as well. However, I am too lazy to go
upstairs and pull out the VMS doco I have :-)

>Under POSIX they are the same, and mean what
>you'd expect (ie. user jason has no access,
>everyone else does). Under NT, the first ACL
>will be the same as the POSIX one, in the second
>one the DENY will be completely ignored.
>> What is missed out on by using POSIX ACLs?
>POSIX ACLs only have rwx bits, not all the complex
>bits NT ACLs have. But very few people understand
>or use the complex bits in NT ACLs, so you won't
>be losing much.

This, too, reflects the VMS heritage in Windows NT, in my view :-)

>Buying an operating system without source is like buying
>a self-assembly Space Shuttle with no instructions.

Richard Sharpe, sharpe at
Samba (Team member,, Ethereal (Team member,
Contributing author, SAMS Teach Yourself Samba in 24 Hours
Author, Special Edition, Using Samba

More information about the samba-technical mailing list