Dynamic groups (was Samba and groups > 16)
Volker Lendecke
Volker.Lendecke at SerNet.DE
Tue Mar 8 14:21:28 GMT 2005
On Tue, Mar 08, 2005 at 09:10:45AM -0500, David Collier-Brown wrote:
> Right now, we have unix permission bits for user,
> group and other, for user, other and a list of groups.
> And it works. We can represent most of the
> access controls that NT does.
No, we can't. Ask Jeremy about mapping Security descriptors to Posix ACLs and
the information loss involved :-)
> So what's wrong with an incremental improvement, from
> permission bits and groups to ACLs which provide
> little more than a fine-grained set of rwx permissions?
The simple fact that the world needs anything but yet-another-acl-model.
We have good support for the limited Posix model, we have good support for AFS
ACLs (see vfs_afsacl.c). When implementing user-space access control I would
*strongly* argue against a new model. Either do Posix ACLs including their
limitations or go all the way down to NT ACLs. BTW, Samba 4 already does NT
ACLs this so there is a model for it available.
Volker
More information about the samba-technical
mailing list