Dynamic groups (was Samba and groups > 16)

David Collier-Brown David.Collier-Brown at Sun.COM
Tue Mar 8 14:10:45 GMT 2005


David Collier-Brown wrote:
> | If groups and wimpy Unix permission bits work now, why would you
> | need full NT ACLs? Would not ordinary POSIX ones suffice???
> 
Gerald (Jerry) Carter wrote:

> Volker's saying that unless we go to userspace access
> checks using the full NT_USER_TOKEN (which is not limited
> by the OS), you are out of luck.  If we went this way, we might as well
> make everything on the file system owned as root and store
> in the real NT ACL in EAs.

	I was actually asking a different question...

	Right now, we have unix permission bits for user,
	group and other, for user, other and a list of groups.
	And it works.  We can represent most of the 
	access controls that NT does.

	We certainly could use more capabilities: Volker's
	"707" (negative ACL) and excessive-power-of-root
	criticisms are valid, but they don't keep us from
	supporting large NT and AD sites.  

	So what's wrong with an incremental improvement, from
	permission bits and groups to ACLs which provide
	little more than a fine-grained set of rwx permissions?


--dave
[The French have a proverb, "the best is often the enemy of the good"]
-- 
David Collier-Brown,      | Always do right. This will gratify
Sun Microsystems, Toronto | some people and astonish the rest
davecb at canada.sun.com     |                      -- Mark Twain


More information about the samba-technical mailing list