Full NT/2K ACL Conformance

ZINKEVICIUS,MATT (HP-Loveland,ex1) matt.zinkevicius at hp.com
Wed Jun 18 17:16:53 GMT 2003 

Hi Jose,
You might want to check out my "NT Security Semantics" patch I published a
while  back:
http://lists.samba.org/pipermail/samba-technical/2002-April/035899.html

It puts NT ACLs into extended attributes, implements proper ACL inheritance,
and use NT semantics to gate access. The version listed about is pretty old
though. I've been porting it to Samba 3 but it's hard to complete when they
change the VFS on a weekly basis :-) I'll post the samba 3 version as soon
as more testing is completed on it here.

Matt Zinkevicius
Software Engineer
Network Storage Array Solutions
Hewlett-Packard

> -----Original Message-----
> From: José Luis Tallón [mailto:jltallon at adv-solutions.net]
> Sent: Wednesday, June 18, 2003 8:49 AM
> To: samba-technical at lists.samba.org
> Subject: RFC: Full NT/2K ACL Conformance
> 
> 
> ( I have posted a quite similar message to the "users" list, 
> but it looks 
> like it got lost in the noise :-| )
> 
> *Background:
> 	We are planning to replace a quite big domain running 
> W2K Server with 
> Samba ( at the very least, the DC ), since we have had quite 
> a nightmare 
> due to a corruption of ADS :-|
> Though i'd love to have the extra security capabilities of 
> W2K ( Kerberos ) 
> as a DC, Samba/NT4 as PDC/BDC with ldapsam will more than 
> suffice for now.
> 
> 
> *Requirements:
> 	We need to be able to assign "real" Full Control 
> permissions: a user who 
> has "Full control" on a directory should be able to Read, 
> Write, eXecute ( 
> of course) [ this can be easily achieved with ACLs ]  *plus*  
> being able to 
> give away Full Control to other users too [ being able to override 
> inherited ACLs would be a plus, too ].
> 
> 
> *Question: Is this feasible (remember smbd runs as root... )? 
> Has somebody 
> though about implementing this ?
> 
> *Possible Solution:
>   Seems like every implementation of ACL comes together with Extended 
> Attributes support ( at least Ext2/ext3, XFS, ReiserFS ). Any 
> exceptions ?
>   How about using one EA to map some Windows' attributes ? 
> Full Control, 
> maybe Archive ( though it can be emulated through 
> ctime/atime/mtime ), 
> Change Only, come in a first pass over this. EA 
> "samba.NTpermissions" ???
> 
> 
> 
> Being quite fluent in C/C++ both in Un*x as well as Win32 I 
> don't mind 
> coding whatever is needed to achieve this, provided it is 
> indeed possible. 
> If not, some suggestions/comments ( or even an approximate 
> timeline for 
> implementation!  ;)  ) would be more than welcome.
> 
> 
> 
> Thanks in advance everybody.
> Keep the good work, Samba Team!
> 
> 
> 
> Kind regards,
> 	J.L.
>

More information about the samba-technical mailing list