RFC: Full NT/2K ACL Conformance

José Luis Tallón jltallon at adv-solutions.net
Wed Jun 18 14:49:24 GMT 2003


( I have posted a quite similar message to the "users" list, but it looks 
like it got lost in the noise :-| )

*Background:
	We are planning to replace a quite big domain running W2K Server with 
Samba ( at the very least, the DC ), since we have had quite a nightmare 
due to a corruption of ADS :-|
Though i'd love to have the extra security capabilities of W2K ( Kerberos ) 
as a DC, Samba/NT4 as PDC/BDC with ldapsam will more than suffice for now.


*Requirements:
	We need to be able to assign "real" Full Control permissions: a user who 
has "Full control" on a directory should be able to Read, Write, eXecute ( 
of course) [ this can be easily achieved with ACLs ]  *plus*  being able to 
give away Full Control to other users too [ being able to override 
inherited ACLs would be a plus, too ].


*Question: Is this feasible (remember smbd runs as root... )? Has somebody 
though about implementing this ?

*Possible Solution:
  Seems like every implementation of ACL comes together with Extended 
Attributes support ( at least Ext2/ext3, XFS, ReiserFS ). Any exceptions ?
  How about using one EA to map some Windows' attributes ? Full Control, 
maybe Archive ( though it can be emulated through ctime/atime/mtime ), 
Change Only, come in a first pass over this. EA "samba.NTpermissions" ???



Being quite fluent in C/C++ both in Un*x as well as Win32 I don't mind 
coding whatever is needed to achieve this, provided it is indeed possible. 
If not, some suggestions/comments ( or even an approximate timeline for 
implementation!  ;)  ) would be more than welcome.



Thanks in advance everybody.
Keep the good work, Samba Team!



Kind regards,
	J.L.




More information about the samba-technical mailing list