Dynamic groups (was Samba and groups > 16)

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue Mar 8 07:54:29 GMT 2005


On Mon, Mar 07, 2005 at 12:57:10PM -0500, David Collier-Brown wrote:
> If groups and wimpy Unix permission bits work now, why would you
> need full NT ACLs? Would not ordinary POSIX ones suffice???

The worst limitation of Posix access controls is the missing ability to
delegate the permission to set ACLs to non-root people. Imagine you have a
large file server with lots of group shares. You want to assign a project
leader per group share and give him the ability to set ACLs on his subdirectory
and nowhere else. With Posix this is not possible.

No, I'm not advocating NT ACLs. They can very quickly become an administrative
nightmare. For an example of (IMHO) well-chosen ACL semantics I recommend
looking at AFS.

Volker


More information about the samba-technical mailing list