svn commit: samba r17353 - in branches/SAMBA_3_0: examples examples/gpfs source source/modules source/smbd

[Peter Somogyi]

On Wednesday 02 August 2006 11:12, Alexander Bokovoy wrote:
> consistent (all other functions accept SMB_STRUCT_STAT* as its second
> parameter). Am I correct?
Okay, this change wasn't _really_ necessary, I just don't like passing any 
parameter which I don't know what is it for (not used), and want to prevent 
changing it.

> I'm looking forward for more info from Peter. The code was reviewed by
> Volker.

The code has separated NFS4<-->windows ACL mapping logic (nfs4_acls.c) which 
should be used by every NFS4 ACL mapper module (e.g. vfs_aixacl2.c for JFS2).
Such modules should implement only mapping between this "common" NFS4 
interface (nfs4_acls.h) and "native" data structures.

Here is a short description about mapping between NFS4 ACLs <--> windows ACLS:

1. ACE types: DENY & ALLOW is currenlty supported. (AUDIT & ALARM is not)

2. Permission masks: 1:1 mapped to windows (by value) - each perms are used on 
NFS4 ACL side, but windows generic rights are currently not mapped.

3. Inheritance flags:
ACE4_FILE_INHERIT_ACE = SEC_ACE_FLAG_OBJECT_INHERIT
ACE4_DIRECTORY_INHERIT_ACE = SEC_ACE_FLAG_CONTAINER_INHERIT
ACE4_NO_PROPAGATE_INHERIT_ACE  = SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
ACE4_INHERIT_ONLY_ACE = SEC_ACE_FLAG_INHERIT_ONLY
ACE4_IDENTIFIER_GROUP -> special meaning in NFSv4 (= ace.who is a group)
SEC_ACE_FLAG_INHERITED_ACE -> not mapped (no corresponding flag in NFS4)
Others are not supported (yet) because AUDIT & ALARM is not supported (yet).

4. Who field: currently every SID needs to be mappable within samba to a local 
GID or UID except global_sid_World (which is mapped to @Everyone), otherwise 
ACL is rejected with error. (even if underlying flesystem supports having 
unknown who)

Any comments appreciated.

-- 
Peter Somogyi
Gamax Kft
Bartok Bela ut 15/D
H-1114, Budapest, Hungary
e-mail: psomogyi at gamax.hu
phone: +36 1 382 5469