[nfsv4] Windows/NFSv4 ACL interoperability

Roche_Francois at emc.com Roche_Francois at emc.com
Tue Mar 14 08:42:07 GMT 2006

Windows servers are walking ACL once, in the same order than the aces are
stored. However most client applications will expect that the aces are
sorted in the following order:

1) Explicit denied aces
2) Explicit allow aces
3) Inherited denied aces
4) Inherited allow aces

If the server doesn't return aces in that order then some applications will
get into trouble. For instance with explorer on windows NT I remember you
will then have a popup windows saying that there is something wrong so you
need to discard all aces or it will reorder them automatically. This is only
one example among others.
In general windows clients are not very tolerant with such things unlike
server side which is.

-----Original Message-----
From: Volker Lendecke [mailto:vlendec at SerNet.DE] On Behalf Of Volker
Sent: mardi 14 mars 2006 08:51
To: J. Bruce Fields
Cc: Yoder, Alan; Gardere, Daniel; samba-technical at lists.samba.org;
nfsv4 at ietf.org; Roche, Francois
Subject: Re: [nfsv4] Windows/NFSv4 ACL interoperability

On Mon, Mar 13, 2006 at 10:19:22PM -0500, J. Bruce Fields wrote:
> Yeah, that's my understanding too.

The one thing that I'd have to verify by experimentation is
whether is Windows walks the ACL twice: Once only looking
for negative entries and once for the positive ones. Reading
the user-level docs it seems that negative ones are looked
at first, but this might be because all GUIs order them.


More information about the samba-technical mailing list