RFC: Full NT/2K ACL Conformance
José Luis Tallón
jltallon at adv-solutions.net
Wed Jun 18 14:49:24 GMT 2003
( I have posted a quite similar message to the "users" list, but it looks
like it got lost in the noise :-| )
*Background:
We are planning to replace a quite big domain running W2K Server with
Samba ( at the very least, the DC ), since we have had quite a nightmare
due to a corruption of ADS :-|
Though i'd love to have the extra security capabilities of W2K ( Kerberos )
as a DC, Samba/NT4 as PDC/BDC with ldapsam will more than suffice for now.
*Requirements:
We need to be able to assign "real" Full Control permissions: a user who
has "Full control" on a directory should be able to Read, Write, eXecute (
of course) [ this can be easily achieved with ACLs ] *plus* being able to
give away Full Control to other users too [ being able to override
inherited ACLs would be a plus, too ].
*Question: Is this feasible (remember smbd runs as root... )? Has somebody
though about implementing this ?
*Possible Solution:
Seems like every implementation of ACL comes together with Extended
Attributes support ( at least Ext2/ext3, XFS, ReiserFS ). Any exceptions ?
How about using one EA to map some Windows' attributes ? Full Control,
maybe Archive ( though it can be emulated through ctime/atime/mtime ),
Change Only, come in a first pass over this. EA "samba.NTpermissions" ???
Being quite fluent in C/C++ both in Un*x as well as Win32 I don't mind
coding whatever is needed to achieve this, provided it is indeed possible.
If not, some suggestions/comments ( or even an approximate timeline for
implementation! ;) ) would be more than welcome.
Thanks in advance everybody.
Keep the good work, Samba Team!
Kind regards,
J.L.
More information about the samba-technical
mailing list