Samba4 Posix NTVFS questions

[tridge at samba.org]

Gémes,

 > My question is which one is going to be implemented?

There will be multiple solutions available. Right now the posix NTVFS
is still under development, and doesn't do NT ACLs at all. I expect to
do an initial NT ACL solution soon (next couple of weeks probably).

The initial solution is likely to be storing NT ACLs in xattr blobs,
probably in the "trusted.*" xattr namespace. These will be interpretd
in user space by smbd. The blobs themselves will be NDR encoded. Take
a look at xattr.idl in the current Samba4 source tree for what I have
done with dos attributes and DOS EAs to see what I mean, the NT ACL
solution will be very similar.

The next level of solution will be to have a Linux LSM module that
interprets these xattr blobs in the kernel, and to have calls that
smbd can make to ask the LSM module to setup a NTTOKEN security
context. 

Finally, we may implement a mapping between posix ACLs and NT ACLs,
possibly in parallel with the above schemes. The idea is that the if
the last ACL modification made is to the posix ACL then the posix ACL
would be considered the master, and the NT ACL would be derived from
that. If the last ACL modification was to the NT ACL then the reverse
would be true.

The priority for me right now is to build all the infrastructure so
that these different schemes can be implemented. The precise details
of the initial scheme isn't all that important, what is important is
that it is flexible enough to do an extremely close emulation of NT
ACLs, and that we develop test suites that confirm the correct
behaviour. Once one scheme is developed then plugging in a different
scheme will not be difficult.

Cheers, Tridge