Windows/NFSv4 ACL interoperability

J. Bruce Fields bfields at fieldses.org
Sun Mar 12 22:40:35 GMT 2006


Several of us had a conversation about ACL interoperability at
Connectathon the other week, and I just wanted to post some kind of
summary.

Apologies for the cross-posting; this seemed the most efficient way to
reach the people likely to be interested.  Let me know if there's
interest, and I could set up a dedicated mailman list for ACL
discussions.

So I've started gathering what I know here; corrections welcomed:

http://wiki.linux-nfs.org/index.php/ACLs#The_ACL_Interoperability_Problem

An executive summary: the basic problem, shared to some degree by NFSv4
and Samba, is that we'd like to support applications that use both POSIX
and Windows ACLs, and we'd even like to be able to do it from servers
(like Linux) that only support the less-fine-grained POSIX ACLs.  (At
some point that may mean just pushing Windows/NFSv4 ACLs into those
operating systems--I believe OSX, AIX, and Solaris are among those that
are already doing this.)

((There's also a problem that the NFSv4 spec is a little vague about the
semantics of NFSv4 ACLs, and that the ACLs it describes differ slightly
from Windows ACLs--see
http://www.ietf.org/internet-drafts/draft-falkner-nfsv4-acls-00.txt for
a proposal to address this).

Some points made by people at the meeting:
	- The problem as stated above is impossible to solve completely.
	  For example, ACLs that represent typical Windows expectations about
	  ALLOW/DENY ace ordering appear to be incompatible with ACLs that
	  represent mode bit semantics accurately.  So we have to be realistic
	  about what we can and can't do, and figure out ways to fail
	  gracefully.
	- Despite the ubiquity and flexibility of Windows ACLs, it may
	  be hard to abandon POSIX ACLs, because they can be somewhat
	  simpler to understand and manipulate, and because some common tools
	  may be starting to support them (e.g., see news about Nautilus ACL
	  support:
	  http://blogs.sun.com/roller/page/alvaro?entry=nautilus_acl_support)

Some resources mentioned at the meeting:
	- rfc3530 section 5.11 describes NFSv4 ACL's:
	  http://www.ietf.org/rfc/rfc3530.txt
	- Windows ACL documentation:
	  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/fs/file_security_and_access_rights.asp
	- withdrawn draft "POSIX" ACL spec:
	  http://wt.xpilot.org/publications/posix.1e/download.html
	- Microsoft documentation on mode bit<->ACL mapping:
	  http://www.microsoft.com/technet/interopmigration/unix/sfu/sfu3perm.mspx
	- Microsoft documentation on preferred ACE ordering:
	  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/order_of_aces_in_a_dacl.asp
	- Presentation by Jeremy Allison on POSIX<->Windows ACL mapping:
	  http://www.citi.umich.edu/projects/nfsv4/jallison-acl-mapping/jallison-acl-mapping.html
	- POSIX<->NFSv4 mapping, used by Linux and Solaris:
	  http://www.citi.umich.edu/projects/nfsv4/rfc/draft-ietf-nfsv4-acl-mapping-03.txt
	- Documentation of OSX ACLs:
	  http://developer.apple.com/documentation/Security/Conceptual/Security_Overview/Concepts/chapter_3_section_9.html
	- Proposed revisions to NFSv4 ACLs, discussion of chmod, mode bit
	  mapping, etc.:
	  http://www.ietf.org/internet-drafts/draft-falkner-nfsv4-acls-00.txt

But of course I probably missed some stuff; if you notice anything,
please let me know.

--b.


More information about the samba-technical mailing list