Can Any one give me some design documents of samba.

Matt Zinkevicius mattzink at qwest.net
Fri Mar 30 07:52:45 GMT 2001 

> On Thu, Mar 29, 2001 at 11:29:02PM -0700, Matt Zinkevicius wrote:
>
> > Remember that the NT ACL to POSIX ACL mapping in samba 2.2. is _far_
from
> > perfect. It is as good as it can be (congrats to Jeremy), yet POSIX
ACL's
> > simply do not provide for all the security semantics that NT allows for.
>
> This is very true. Now ask how often these semantics are used.

If someone out there uses it, then it must be supported. Of course that's
completely orthoganol to whether we agree with it's existance :-)

> > Actually *nix itself doesn't provide granualar enough access rights,
with
> > plain ol' "rwx". My company is building a storage appliance, and have
> > interviewed many administrators that said it is of extreme importance
that
> > the full semantics be supported and enforced properly.
>
> The next question you should ask them is "what are the full semantics ?"
> I would bet *large* amounts of money that none of them could articulate
> them. I'm not trying to be smart here, I genuinely think that NT ACLs
> are so over designed that they're unusable in the real world.

I disagree. POSIX ACL's were designed for files. NT ACL's were designed for
objects. It's only that we are looking at NT ACL's from a storage-centric
viewpoint that we see them as overdesigned. Can you imagine POSIX ACL's
being used to gate access on COM objects? Probably not :-)

> > So I'm being paid to
> > write a patch to samba that does just this :-) It's already about 95%
> > correct. Problems still include permission inheritance and some of the
more
> > obscure combinations of access rights. The other ugliness is keeping the
NT
> > ACL's somewhat in sync with the unix permissions (using either a daemon
or
> > file-system wrapper).
>
> This is good. I'd like to see such a patch - but as you've noticed
> the inheritence is a big problem. Have you done any benchmark after
> using your patch ?

No benchmarks. It shouldn't be too horrible since it doesn't hit my code on
reads or writes. If you opening/moving/renaming thousands of files at a time
then you'll probably notice a difference ;-)

--Matt "Mr. Smiley" Zinkevicius

More information about the samba-technical mailing list