nigel at veritas.com
Mon Jan 14 12:15:04 GMT 2002
Thanks for the input Steven,
I think I'm right in saying that Samba does not have the server-side
implementation of the nttrans calls required for share management via RAP.
Is that correct?
The ACL management that I was thinking of particularly was that of the share
permissions themselves as opposed to the directory permissions. With level
502 and 1501 it is possible to get/set these permissions.
So in my current implementation you can do the following with rpcclient
>shareadd TEST_SHARE 502 -r "a comment" -P c:\\temp -s
This however is not suitable for adding/removing ACLs to/from existing
security descriptors. It simply replaces an existing SD or adds a new one.
Although smbcacl style manipulation could easily be added it does not seem
to be the correct place.
I have split out the SD/ACL manipulation code from smbcacls and this could
have a place in the smbclient library. This may go some way towards your
requirements. It certainly simplifies the smbcacls code. I'll think more
I am considering adding a share permissioning option to smbcacls (should
smbcacls this just handle files/dirs?) or adding the features to the Samba
net command (this is not present on NT). I could easily do both.
From: samba-technical-admin at lists.samba.org
[mailto:samba-technical-admin at lists.samba.org]On Behalf Of Steven French
Sent: Monday, January 14, 2002 9:45 AM
To: samba-technical at samba.org
Subject: Share management
>From: "Nigel Williams" <nigel at wednesday.demon.co.uk>
>To: <samba-technical at samba.org>
>Subject: command line share management tool
?Date: Fri, 11 Jan 2002 18:46:39 -0800
>I have recently written the additional code required to allow command line
>share management. i.e. enum/add/delete/modify share entries including
>permissioning. I'd like some feedback on what form a share management
>should take. Are people happy to use a combination of rpcclient and
>smbcacls for this or should a separate share management tool be written.
>How much interest would there be in such a tool?
Having a DCE/RPC alternative to the RAP code that net currently calls for
share management of (mostly Windows) servers would be useful (since you may
be able to get at higher level structures than the share_info_2 data
structure) but the share operations are pretty simple conceptually unlike
the access control operations. Whether we should consider access control
management part of share management is more controversial though.
Although it was nice prior to NT4 when you could type something like "NET
ACCESS c:\exports /GRANT user1:R" to give user1 read-access to the path -
having the API work directly on the file or directory object (as it did
since NT4) seems better. Implementing ACL management in a way that would
make it easier to link in (as part of the smbclient library) would be
great. It would make creating a CIFS aware file browser much easier (so
the non-Windows equivalent of the "my computer" and file explorer tools on
Windows could manage ACLs, not just list files and the basic file
attributes). There is some benefit in having the ability to type
something like "NET ACCESSENTRY ADD unc_path user_or_group permissions
acl_type" and that would be nice but it may be oversimplifying the complex
Win2K ACL model and smbcacls does an OK job already - the big hole seems to
be the ability to access control via a decent file/directory browser.
Senior Software Engineer
Linux Technology Center - IBM Austin
email: sfrench at us.ibm.com
More information about the samba-technical