Windows/NFSv4 ACL interoperability
christophk at cip.wiwi.uni-karlsruhe.de
Tue Mar 14 11:59:30 GMT 2006
On Tue, Mar 14, 2006 at 10:31:43PM +1100, tridge at samba.org wrote:
> > I think you are missing one distinctive difference in the semantics of
> > nfsv4 and windows acl: inheritance! afaik nfsv4 uses static inheritance
> > (acls are inherited only at file creationt time) and windows uses a
> > semi-dynamic model (acls are inherited at the time they are set).
> > Applications that rely on one behaviour may do strange things!
> I am a little skeptical about this. I know that Microsoft docs talk
> about this type of dynamic inheritance, but when I went to implement
> it in Samba4 I failed to reproduce it in windows->windows testing
> (using win2003). What I saw instead was that the windows client would
> walk the file tree under the directory and update the ACLs manually
> guided by the various inheritance flags.
> Try as I might to make windows do true dynamic inheritance, where an
> update to a directory acl is immediately visible elements within the
> directory without a tree walk I didn't see it.
Yes, we are taliking about the same thing. Thats why i said semi-dynamic
and applied at the time the ace is set, and not when the actual access
check happens! But as this behaviour is not exposed to the windows user (he
always has the feeling he's working on a fully dynamic inheritng fs),
and should be obeyed by applications (don't allows users to delete
inherited aces and propagate new aces in the tree) this makes no difference.
More information about the samba-technical