Can Any one give me some design documents of samba.

Jeremy Allison jeremy at valinux.com
Fri Mar 30 07:05:22 GMT 2001


On Thu, Mar 29, 2001 at 11:29:02PM -0700, Matt Zinkevicius wrote:

> Remember that the NT ACL to POSIX ACL mapping in samba 2.2. is _far_ from
> perfect. It is as good as it can be (congrats to Jeremy), yet POSIX ACL's
> simply do not provide for all the security semantics that NT allows for.

This is very true. Now ask how often these semantics are used.

> Actually *nix itself doesn't provide granualar enough access rights, with
> plain ol' "rwx". My company is building a storage appliance, and have
> interviewed many administrators that said it is of extreme importance that
> the full semantics be supported and enforced properly.

The next question you should ask them is "what are the full semantics ?"
I would bet *large* amounts of money that none of them could articulate
them. I'm not trying to be smart here, I genuinely think that NT ACLs
are so over designed that they're unusable in the real world.

> So I'm being paid to
> write a patch to samba that does just this :-) It's already about 95%
> correct. Problems still include permission inheritance and some of the more
> obscure combinations of access rights. The other ugliness is keeping the NT
> ACL's somewhat in sync with the unix permissions (using either a daemon or
> file-system wrapper).

This is good. I'd like to see such a patch - but as you've noticed
the inheritence is a big problem. Have you done any benchmark after
using your patch ?

> I would steer clear of using samba 2.0. From a developer's standpoint you'll
> find it much easier to do you work using samba 2.2's (or HEAD's) VFS layer,
> easy data marshalling, and built in database (tdb). It's quite stable from
> our tests as well.

Thanks - the devil is in the details of course :-).

Jeremy.

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------




More information about the samba-technical mailing list