samba-technical Digest, Vol 39, Issue 17
Tony Bencivenga
tbencivenga at simpletech.com
Tue Mar 14 19:24:57 GMT 2006
Guys and Gals..
I have 15 servers all working so nice before sp1 2003 server.
Now i am dead in the water due to this sp1.
Problem:
Group I say it again GROUP authentication stops working in all versions
of samba up to the current version on the shares.
I can wbinfo all day long no problem I cannnot connect to a share with
group permissions from the 2003 server on sp1.
I even loaded a fresh box with the latest and greatest krb5 / pam /
samba and still no luck this is starting to fustrate me and I am not
going to be able to add shares with ads on users that would kill me.
Any help or know why this is please let me know.
On Tue, 2006-03-14 at 04:07 -0800,
samba-technical-request at lists.samba.org wrote:
> Send samba-technical mailing list submissions to
> samba-technical at lists.samba.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.samba.org/mailman/listinfo/samba-technical
> or, via email, send a message with subject or body 'help' to
> samba-technical-request at lists.samba.org
>
> You can reach the person managing the list at
> samba-technical-owner at lists.samba.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of samba-technical digest..."
>
>
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > Jerry,
> >
> > > Have you ever run across production uses of security = share
> > > for something other than guest access?
> >
> > yes, I have, but not recently :-)
> >
> > 'security = share' was the only option in Samba for a while (up to
> > version 1.6), and it was also the default until quite recently (did
> > we
> > change that in 2.2?).
> >
> > So heaps of people used it in production, and that makes me a bit
> > nervous about removing it. I agree that it should be deprecated, and
> > I
> > guess we took the first step towards that when we made security=user
> > the default.
> >
> > I wonder if there are many sites left that use the really ancient
> > clients like the old DOS6 and pathworks clients? It might be worth
> > testing those to make sure they don't break. I know the earliest
> > versions of smbclient didn't support user level security (that was
> > added in 1.5.31), and it may be that some early commercial clients
> > didn't either.
> >
> > On the other hand, we haven't added share level security to Samba4
> > yet, and nobody has complained :-)
> >
> > Cheers, Tridge
> >
> >
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi Vance,
> >
> > can you have a look at build.pl it doesn't like:
> >
> > - --==--==--==--==--==--==--==--==--==--==--
> > Running test Testing remote ->local copy (level 0 stdout)
> > - --==--==--==--==--==--==--==--==--==--==--
> >
> > because of the '>'...
> >
> > can you or someone else take a look at it, thanks!
> >
> > metze
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.0 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQFEFZZmm70gjA5TCD8RAu/gAKC3ZYGc/2JBsLq1rwox3oMBlTq9gACcCmuU
> > zrCOCfvyJC3GHtKyQVzKb70=
> > =i5wz
> > -----END PGP SIGNATURE-----
> >
> >
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > On Mon, Mar 13, 2006 at 03:24:36PM +0000, idra at samba.org wrote:
> > > Backout latest changes as Volker requested.
> >
> > Thanks :-)
> >
> > As I said in private mail, let us mature this a bit on
> > samba-technical at samba.org first.
> >
> > Volker
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > On Mon, Mar 13, 2006 at 04:10:28PM +0000, lmuelle at samba.org wrote:
> > > Author: lmuelle
> > > Date: 2006-03-13 16:10:26 +0000 (Mon, 13 Mar 2006)
> > > New Revision: 14325
> > >
> > > WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=14325
> > >
> > > Log:
> > > Add pam_modules rule which builds the configure(d) pam modules. This is
> > > called as part of the all rule (again only if pam modules are requested
> > > by configure).
> > >
> > > Add pam_winbind rule.
> > >
> > > Ensure proto_exists before we build the pam modules.
> > >
> > > Add test_pam_modules rule to test if the built pam modules have any
> > > unresolved symbols. For test_pam_modules we use script/tests/dlopen.sh
> > > which was written by Nalin Dahyabhai <nalin at redhat.com>. Thanks Nalin!
> > > RedHat and SuSE use this script to test nss and pam modules since
> > > several years.
> >
> > I'd like to change the default for both pam modules on a pam aware
> > system to yes. Plus running test_pam_modules by default. The
> > intention is to get aware of undefined symbols as soon as possible.
> >
> > Lars
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > On Mon, Mar 13, 2006 at 06:43:34PM +0100, Lars Müller wrote:
> > > I'd like to change the default for both pam modules on a pam aware
> > > system to yes. Plus running test_pam_modules by default. The
> > > intention is to get aware of undefined symbols as soon as possible.
> >
> > I haven't really followed it... I'm fine with building them
> > by default, what I would probably not like is 'make install'
> > to put them into /lib/security. This should be left to the
> > admin.
> >
> > Volker
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > On Mon, 2006-03-13 at 14:22 +0000, lmuelle at samba.org wrote:
> > > Author: lmuelle
> > > Date: 2006-03-13 14:22:43 +0000 (Mon, 13 Mar 2006)
> > > New Revision: 14317
> > >
> > > WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=14317
> > >
> > > Log:
> > > Use source/bin as dir to link pam_winbind instead of source/nsswitch/
> >
> > Which reminds me: We need to be careful to remove the GPL dependency of
> > the new pam_winbind, or correctly label it as a GPL'ed PAM module.
> >
> > Andrew Bartlett
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > Hi, all.
> >
> > Since I've been such a bum with regard to SWAT development in
> > Samba4,
> > I thought it best to give everyone a head's up about what I'm doing.
> >
> > I've got a lot going on right now at work, which is actually cool.
> > I'm getting to work on some interesting things. Combine work with
> > the
> > book I'm doing and general samba.org maintenance, and I just can't
> > find time to get to SWAT. I know we had some others express an
> > interest in SWAT at linux.conf.au, so I'd rather get out of the way
> > and give someone a chance to jump in.
> >
> > There's a lot I'd like to do with SWAT, but I need to be real with
> > myself about what I can actually get done. :-)
> >
> > Cheers,
> > deryck
> >
> > --
> > Deryck Hodge
> > http://www.devurandom.org/
> > http://www.samba.org/
> >
> > "Aimless days, uncool ways of decathecting" --Mike Doughty (2005)
> >
> >
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > On Mon, 2006-03-13 at 23:07 +0000, jra at samba.org wrote:
> > > Author: jra
> > > Date: 2006-03-13 23:07:14 +0000 (Mon, 13 Mar 2006)
> > > New Revision: 14353
> > >
> > > WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=14353
> > >
> > > Log:
> > > Fix coverity bugs #61 and #62. Remember to divide by
> > > the size of the data table. Clean up the struct a little.
> > > Jeremy.
> >
> > Samba4 seems to use an ARRAY_SIZE macro for this, to avoid this lovely
> > little trap :-)
> >
> > Andrew Bartlett
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > On Mon, Mar 13, 2006 at 07:33:17PM +0100, Volker Lendecke wrote:
> > > On Mon, Mar 13, 2006 at 06:43:34PM +0100, Lars Müller wrote:
> > > > I'd like to change the default for both pam modules on a pam aware
> > > > system to yes. Plus running test_pam_modules by default. The
> > > > intention is to get aware of undefined symbols as soon as possible.
> > >
> > > I haven't really followed it... I'm fine with building them
> > > by default, what I would probably not like is 'make install'
> > > to put them into /lib/security.
> >
> > The plan is to use the same path as sbindir which you can override with
> > --with-pammodulesdir while configure. Mostly the same as with
> > --with-rootsbindir.
> >
> > By default we have to use something which includes our prefix as we else
> > can not install it into (and run it from) a userdir. Which is the case
> > for the buildfarm for example.
> >
> > > This should be left to the admin.
> >
> > But you're fine sbindir to use sbindir?
> >
> > Lars
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > I don't have time for a detailed discussion today,
> > but will note the following.
> >
> > During the NFVv4 ACL spec writeup, I questioned the
> > lack of ordering requirements for ALLOW and DENY.
> > Carl Beame demonstrated to my satisfaction that
> > Windows NT servers did not at that time enforce
> > any such thing, and that the requirement is (was?)
> > entirely client-side in Windows.
> >
> >
> > I hope this is germane to the discussion; apologies
> > if not.
> >
> > Alan
> >
> > ===============================================================
> > Alan G. Yoder agy at netapp.com
> > Technical Staff
> > Network Appliance, Inc. 408-822-6919
> > ===============================================================
> >
> > > -----Original Message-----
> > > From: J. Bruce Fields [mailto:bfields at fieldses.org]
> > > Sent: Sunday, March 12, 2006 2:41 PM
> > > To: nfsv4 at ietf.org; samba-technical at lists.samba.org;
> > > Gardere_Daniel at emc.com; Roche_Francois at emc.com
> > > Subject: [nfsv4] Windows/NFSv4 ACL interoperability
> > >
> > > Several of us had a conversation about ACL interoperability at
> > > Connectathon the other week, and I just wanted to post some kind
> > of
> > > summary.
> > >
> > > Apologies for the cross-posting; this seemed the most efficient
> > way to
> > > reach the people likely to be interested. Let me know if there's
> > > interest, and I could set up a dedicated mailman list for ACL
> > > discussions.
> > >
> > > So I've started gathering what I know here; corrections welcomed:
> > >
> > > http://wiki.linux-nfs.org/index.php/ACLs#The_ACL_Interoperabil
> > > ity_Problem
> > >
> > > An executive summary: the basic problem, shared to some
> > > degree by NFSv4
> > > and Samba, is that we'd like to support applications that use
> > > both POSIX
> > > and Windows ACLs, and we'd even like to be able to do it from
> > servers
> > > (like Linux) that only support the less-fine-grained POSIX ACLs.
> > (At
> > > some point that may mean just pushing Windows/NFSv4 ACLs into
> > those
> > > operating systems--I believe OSX, AIX, and Solaris are among
> > > those that
> > > are already doing this.)
> > >
> > > ((There's also a problem that the NFSv4 spec is a little
> > > vague about the
> > > semantics of NFSv4 ACLs, and that the ACLs it describes
> > > differ slightly
> > > from Windows ACLs--see
> > > http://www.ietf.org/internet-drafts/draft-falkner-nfsv4-acls-0
> > > 0.txt for
> > > a proposal to address this).
> > >
> > > Some points made by people at the meeting:
> > > - The problem as stated above is impossible to solve
> > completely.
> > > For example, ACLs that represent typical Windows
> > > expectations about
> > > ALLOW/DENY ace ordering appear to be incompatible
> > > with ACLs that
> > > represent mode bit semantics accurately. So we have
> > > to be realistic
> > > about what we can and can't do, and figure out ways to
> > fail
> > > gracefully.
> > > - Despite the ubiquity and flexibility of Windows ACLs, it
> > may
> > > be hard to abandon POSIX ACLs, because they can be
> > somewhat
> > > simpler to understand and manipulate, and because
> > > some common tools
> > > may be starting to support them (e.g., see news about
> > > Nautilus ACL
> > > support:
> > >
> > >
> > http://blogs.sun.com/roller/page/alvaro?entry=nautilus_acl_support)
> > >
> > > Some resources mentioned at the meeting:
> > > - rfc3530 section 5.11 describes NFSv4 ACL's:
> > > http://www.ietf.org/rfc/rfc3530.txt
> > > - Windows ACL documentation:
> > >
> > > http://msdn.microsoft.com/library/default.asp?url=/library/en-
> > > us/fileio/fs/file_security_and_access_rights.asp
> > > - withdrawn draft "POSIX" ACL spec:
> > > http://wt.xpilot.org/publications/posix.1e/download.html
> > > - Microsoft documentation on mode bit<->ACL mapping:
> > >
> > > http://www.microsoft.com/technet/interopmigration/unix/sfu/sfu
> > > 3perm.mspx
> > > - Microsoft documentation on preferred ACE ordering:
> > >
> > > http://msdn.microsoft.com/library/default.asp?url=/library/en-
> > > us/secauthz/security/order_of_aces_in_a_dacl.asp
> > > - Presentation by Jeremy Allison on POSIX<->Windows ACL
> > mapping:
> > >
> > > http://www.citi.umich.edu/projects/nfsv4/jallison-acl-mapping/
> > > jallison-acl-mapping.html
> > > - POSIX<->NFSv4 mapping, used by Linux and Solaris:
> > >
> > > http://www.citi.umich.edu/projects/nfsv4/rfc/draft-ietf-nfsv4-
> > > acl-mapping-03.txt
> > > - Documentation of OSX ACLs:
> > >
> > http://developer.apple.com/documentation/Security/Conceptual/Security_Ov
> > erview/Concepts/c> hapter_3_section_9.html
> > > - Proposed revisions to NFSv4 ACLs, discussion of
> > > chmod, mode bit
> > > mapping, etc.:
> > >
> > >
> > http://www.ietf.org/internet-drafts/draft-falkner-nfsv4-acls-00.txt
> > >
> > > But of course I probably missed some stuff; if you notice
> > anything,
> > > please let me know.
> > >
> > > --b.
> > >
> > > _______________________________________________
> > > nfsv4 mailing list
> > > nfsv4 at ietf.org
> > > https://www1.ietf.org/mailman/listinfo/nfsv4
> > >
> >
> >
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > On Mon, Mar 13, 2006 at 04:04:00PM -0800, Yoder, Alan wrote:
> > > During the NFVv4 ACL spec writeup, I questioned the
> > > lack of ordering requirements for ALLOW and DENY.
> > > Carl Beame demonstrated to my satisfaction that
> > > Windows NT servers did not at that time enforce
> > > any such thing, and that the requirement is (was?)
> > > entirely client-side in Windows.
> >
> > Yeah, that's my understanding too.
> >
> > So the problem is just with stuff like a posix user setting a bunch
> > of
> > long carefully crafted ACLs and then a Windows user not being able
> > to
> > read them and blowing them away in an attempt to modify them.
> >
> > To a certain extent that kind of problem may be unavoidable. But we
> > may
> > have some control over how common it is and how gracefully we fail.
> >
> > --b.
> >
> >
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > On Mon, Mar 13, 2006 at 10:19:22PM -0500, J. Bruce Fields wrote:
> > > Yeah, that's my understanding too.
> >
> > The one thing that I'd have to verify by experimentation is
> > whether is Windows walks the ACL twice: Once only looking
> > for negative entries and once for the positive ones. Reading
> > the user-level docs it seems that negative ones are looked
> > at first, but this might be because all GUIs order them.
> >
> > Volker
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > On Tue, Mar 14, 2006 at 01:09:44AM +0100, Lars Müller wrote:
> > > The plan is to use the same path as sbindir which you can override with
> > > --with-pammodulesdir while configure. Mostly the same as with
> > > --with-rootsbindir.
> > >
> > > By default we have to use something which includes our prefix as we else
> > > can not install it into (and run it from) a userdir. Which is the case
> > > for the buildfarm for example.
> >
> > Sounds good. I was just a little afraid to write into system
> > directories by default.
> >
> > Volker
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > Hi,
> >
> > In realtion to improving Samba3 automated testing, I downloaded and
> > installed Samba versions 3.0.21c and 4.0.0tp1 and modified the
> > t_002.sh
> > script under samba-3.0.21c/source/script/tests/ , so that 'make
> > test' picks
> > up smbtorture4 executable and ran the test twice. However, on both
> > occasions it failed to create the TDB password and the smbtorture
> > failed to
> > pass with every test getting the NT_STATUS_HOST_UNREACHABLE error.
> >
> > /samba/samba-3.0.21c/source # make test
> > Using FLAGS = -I/usr/include/heimdal -O -D_SAMBA_BUILD_ -Iinclude
> > -I/root/samba/samba-3.0.21c/source/include
> > -I/root/samba/samba-3.0.21c/source/ubiqx
> > -I/root/samba/samba- 3.0.21c/source/tdb -I. -I/usr/include/heimdal
> > -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE
> > -DLDAP_DEPRECATED
> > -I/root/samba/samba-3.0.21c/source -D_SAMBA_BUILD_
> > LIBS = -lcrypt -lresolv -lnsl -ldl
> > LDSHFLAGS = -shared -Wl,-Bsymbolic -Wl,-rpath,/usr/lib
> > LDFLAGS = -Wl,-rpath,/usr/lib
> > PIE_CFLAGS =
> > PIE_LDFLAGS =
> > Compiling torture/torture.c
> > Compiling torture/nbio.c
> > Compiling torture/scanner.c
> > Compiling torture/utable.c
> > Compiling torture/denytest.c
> > Compiling torture/mangle_test.c
> > Linking bin/smbtorture
> > Compiling torture/msgtest.c
> > Linking bin/msgtest
> > Compiling torture/masktest.c
> > Linking bin/masktest
> > Compiling torture/locktest.c
> > Linking bin/locktest
> > Compiling torture/locktest2.c
> > Linking bin/locktest2
> > Compiling torture/nsstest.c
> > Linking bin/nsstest
> > Compiling torture/cmd_vfs.c
> > Compiling torture/vfstest.c
> > Linking bin/vfstest
> > Running Samba 3 Test suite
> > Unable to open/create TDB passwd
> > Unable to open/create TDB passwd
> > pdb_getsampwnam: TDB passwd (/root/samba/samba-3.0.21c
> > /source/t_dir/private/passdb.tdb) did not exist. File successfully
> > created.
> > ./script/tests/runtests.sh: line 99: 22937 Done
> > ( echo
> > $PASSWORD; echo $PASSWORD )
> > 22938 Segmentation fault | smbpasswd -c $LIBDIR/smb.conf
> > -L -s -a
> > $USERNAME
> >
> > >>>>>> Starting test driver t_001.sh <<<<<
> > Starting smbd....
> > session setup failed: Call timed out: server did not respond after
> > 20000
> > milliseconds
> > Shutting down smbd (pid 22949)...
> > make: *** [test] Interrupt
> >
> > Also, when I see the list of smb processes running, it shows all
> > smbtorture
> > processes to be 'defunct'.
> > # ps -ae| grep smb
> > 23015 ? 00:00:00 smbd
> > 23017 ? 00:00:00 smbd
> > 23020 pts/0 00:00:20 smbtorture
> > 23021 pts/0 00:00:00 smbtorture <defunct>
> > 23022 pts/0 00:00:00 smbtorture <defunct>
> > 23023 pts/0 00:00:00 smbtorture <defunct>
> > 23024 pts/0 00:00:00 smbtorture <defunct>
> > 23025 pts/0 00:00:00 smbtorture <defunct>
> > 23026 pts/0 00:00:00 smbtorture <defunct>
> > 23027 pts/0 00:00:00 smbtorture <defunct>
> > 23028 pts/0 00:00:00 smbtorture <defunct>
> > 23029 pts/0 00:00:00 smbtorture <defunct>
> > 23030 pts/0 00:00:00 smbtorture <defunct>
> > 23031 pts/0 00:00:00 smbtorture <defunct>
> > 23032 pts/0 00:00:00 smbtorture <defunct>
> >
> > Is this an expected behaviour?
> >
> > Thanks and regards
> > Sandeep Cashyap.R
> >
> > IBM India Ltd.
> > Subramanya Arcade - 2, Level 6,
> > Banerghatta Main Road,
> > Bangalore - 560029.
> > Ph: 91-80-51956573
> > Email: sandeep.cashyap at in.ibm.com
> >
> >
> > On 3/3/06, Volker Lendecke <Volker.Lendecke at sernet.de> wrote:
> > >
> > > On Fri, Mar 03, 2006 at 05:43:05PM +0300, Alexander Bokovoy wrote:
> > > > Should we rewrite smbtorture tests in ejs? This would allow
> > arbitrary
> > > > grouping (through include statements) and simpler integration.
> > >
> > > The main argument against rewriting in ejs is the amount of
> > > coding that has gone into the torture tests so far. If
> > > someone went through and rewrote all of that in ejs, fine
> > > :-)
> > >
> > > Volker
> > >
> > >
> > >
> >
> >
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > On Mon, 2006-13-03 at 16:57 +0100, Stefan (metze) Metzmacher wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Hi Vance,
> > >
> > > can you have a look at build.pl it doesn't like:
> >
> > Fixed :-)
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > Volker,
> >
> > > The one thing that I'd have to verify by experimentation is
> > > whether is Windows walks the ACL twice: Once only looking
> > > for negative entries and once for the positive ones. Reading
> > > the user-level docs it seems that negative ones are looked
> > > at first, but this might be because all GUIs order them.
> >
> > I developed the sec_access_check() function in
> > libcli/security/access_check.c code in Samba4 pretty carefully, and
> > I'm fairly confident it is accurate, in terms of matching what w2k3
> > does. It walks the ACL just once. Note that it is not the same as
> > any
> > published docs I have found (in particular the ordering of the
> > special
> > case tests at the top of the function are different to all docs I
> > have
> > seen).
> >
> > The RAW-ACLS test in Samba4 smbtorture is quite a useful test case
> > for
> > this stuff too.
> >
> > Cheers, Tridge
> >
> >
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > Windows servers are walking ACL once, in the same order than the
> > aces are
> > stored. However most client applications will expect that the aces
> > are
> > sorted in the following order:
> >
> > 1) Explicit denied aces
> > 2) Explicit allow aces
> > 3) Inherited denied aces
> > 4) Inherited allow aces
> >
> > If the server doesn't return aces in that order then some
> > applications will
> > get into trouble. For instance with explorer on windows NT I
> > remember you
> > will then have a popup windows saying that there is something wrong
> > so you
> > need to discard all aces or it will reorder them automatically. This
> > is only
> > one example among others.
> > In general windows clients are not very tolerant with such things
> > unlike
> > server side which is.
> >
> > -----Original Message-----
> > From: Volker Lendecke [mailto:vlendec at SerNet.DE] On Behalf Of Volker
> > Lendecke
> > Sent: mardi 14 mars 2006 08:51
> > To: J. Bruce Fields
> > Cc: Yoder, Alan; Gardere, Daniel; samba-technical at lists.samba.org;
> > nfsv4 at ietf.org; Roche, Francois
> > Subject: Re: [nfsv4] Windows/NFSv4 ACL interoperability
> >
> > On Mon, Mar 13, 2006 at 10:19:22PM -0500, J. Bruce Fields wrote:
> > > Yeah, that's my understanding too.
> >
> > The one thing that I'd have to verify by experimentation is
> > whether is Windows walks the ACL twice: Once only looking
> > for negative entries and once for the positive ones. Reading
> > the user-level docs it seems that negative ones are looked
> > at first, but this might be because all GUIs order them.
> >
> > Volker
> >
> >
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > Windows apparently evaluates the ACL entries in the order they
> > appear.
> > MSDN developer docs state that an application modifying an ACL is
> > responsible for keeping ACEs in the canonical order (all deny
> > entries
> > preceding allow entries).
> >
> > If you don't already have it, SetACL
> > (http://setacl.sourceforge.net/)
> > is a nifty GPL tool. It might be a useful tool for scripted ACL
> > mangling
> > (and behavior comparisons between a Samba server and a Windows
> > server).
> >
> >
> > MSDN "Platform SDK: Authorization" documentation entries describing
> > ACL
> > ordering requirements:
> >
> > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/order_of_aces_in_a_dacl.asp
> >
> > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/addaccessdeniedace.asp
> >
> > MSDN authorization functions index:
> >
> > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/authorization_functions.asp
> >
> >
> >
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Vance Lankhaar schrieb:
> > > On Mon, 2006-13-03 at 16:57 +0100, Stefan (metze) Metzmacher
> > wrote:
> > >> -----BEGIN PGP SIGNED MESSAGE-----
> > >> Hash: SHA1
> > >>
> > >> Hi Vance,
> > >>
> > >> can you have a look at build.pl it doesn't like:
> > >
> > > Fixed :-)
> > thanks!
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.0 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQFEFpIUm70gjA5TCD8RAueQAKCrgFb/N31+Q6TI1Kg0eKJaul0/GACgtmb7
> > yUFWX1mBfquXq6qOPSnzvSg=
> > =NK2S
> > -----END PGP SIGNATURE-----
> >
> >
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > At 5:40 PM -0500 3/12/06, J. Bruce Fields wrote:
> > >Several of us had a conversation about ACL interoperability at
> > >Connectathon the other week, and I just wanted to post some kind of
> > >summary.
> > >
> > >Apologies for the cross-posting; this seemed the most efficient way
> > to
> > >reach the people likely to be interested. Let me know if there's
> > >interest, and I could set up a dedicated mailman list for ACL
> > >discussions.
> > >
> > >So I've started gathering what I know here; corrections welcomed:
> > >
> > >http://wiki.linux-nfs.org/index.php/ACLs#The_ACL_Interoperability_Problem
> > >
> > >An executive summary: the basic problem, shared to some degree by
> > NFSv4
> > >and Samba, is that we'd like to support applications that use both
> > POSIX
> > >and Windows ACLs, and we'd even like to be able to do it from
> > servers
> > >(like Linux) that only support the less-fine-grained POSIX ACLs.
> > (At
> > >some point that may mean just pushing Windows/NFSv4 ACLs into those
> > >operating systems--I believe OSX, AIX, and Solaris are among those
> > that
> > >are already doing this.)
> >
> > Yes the OSX ACL model is nearly Windows. IMO the most interesting
> > difference between them is when none of the ACEs ALLOW or DENY an
> > access. In that case Windows denies the attempt, but OSX at that
> > point will fall back to POSIX mode bits.
> >
> >
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > On Sun, Mar 12, 2006 at 05:40:35PM -0500, J. Bruce Fields wrote:
> > >
> > > So I've started gathering what I know here; corrections welcomed:
> > >
> > >
> > http://wiki.linux-nfs.org/index.php/ACLs#The_ACL_Interoperability_Problem
> > >
> > Perhaps you can add a link to http://sourceforge.net/projects/ngacl
> > on
> > your page, as a first try to address these issues on linux.
> >
> > I think you are missing one distinctive difference in the semantics
> > of
> > nfsv4 and windows acl: inheritance! afaik nfsv4 uses static
> > inheritance
> > (acls are inherited only at file creationt time) and windows uses a
> > semi-dynamic model (acls are inherited at the time they are set).
> > Applications that rely on one behaviour may do strange things!
> >
> > christoph
> >
> >
> >
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > Christoph,
> >
> > > I think you are missing one distinctive difference in the
> > semantics of
> > > nfsv4 and windows acl: inheritance! afaik nfsv4 uses static
> > inheritance
> > > (acls are inherited only at file creationt time) and windows uses
> > a
> > > semi-dynamic model (acls are inherited at the time they are set).
> > > Applications that rely on one behaviour may do strange things!
> >
> > I am a little skeptical about this. I know that Microsoft docs talk
> > about this type of dynamic inheritance, but when I went to implement
> > it in Samba4 I failed to reproduce it in windows->windows testing
> > (using win2003). What I saw instead was that the windows client
> > would
> > walk the file tree under the directory and update the ACLs manually
> > guided by the various inheritance flags.
> >
> > Try as I might to make windows do true dynamic inheritance, where an
> > update to a directory acl is immediately visible elements within the
> > directory without a tree walk I didn't see it.
> >
> > Some people have said they just don't believe me, but I would
> > appreciate it if someone who has seen real dynamic inheritance in
> > action could send me a sniff demonstrating it.
> >
> > Also note that (from the users point of view) Samba4 does implement
> > dynamic inheritance, its just that what happens is the client
> > transparently walks the tree and updates it for us, so I have a
> > working implementation to backup the above :-)
> >
> > Cheers, Tridge
> >
> >
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > I totally agree with Tridge, it is the client which is doing the
> > propagation
> > down the tree not the server.
> > Windows server is doing it only for file/directory creation.
> >
> > -----Original Message-----
> > From: tridge at samba.org [mailto:tridge at samba.org]
> > Sent: mardi 14 mars 2006 12:32
> > To: Christoph Klein
> > Cc: J. Bruce Fields; Gardere, Daniel;
> > samba-technical at lists.samba.org;
> > nfsv4 at ietf.org; Roche, Francois
> > Subject: Re: Windows/NFSv4 ACL interoperability
> >
> > Christoph,
> >
> > > I think you are missing one distinctive difference in the
> > semantics of
> > > nfsv4 and windows acl: inheritance! afaik nfsv4 uses static
> > inheritance
> > > (acls are inherited only at file creationt time) and windows uses
> > a
> > > semi-dynamic model (acls are inherited at the time they are set).
> > > Applications that rely on one behaviour may do strange things!
> >
> > I am a little skeptical about this. I know that Microsoft docs talk
> > about this type of dynamic inheritance, but when I went to implement
> > it in Samba4 I failed to reproduce it in windows->windows testing
> > (using win2003). What I saw instead was that the windows client
> > would
> > walk the file tree under the directory and update the ACLs manually
> > guided by the various inheritance flags.
> >
> > Try as I might to make windows do true dynamic inheritance, where an
> > update to a directory acl is immediately visible elements within the
> > directory without a tree walk I didn't see it.
> >
> > Some people have said they just don't believe me, but I would
> > appreciate it if someone who has seen real dynamic inheritance in
> > action could send me a sniff demonstrating it.
> >
> > Also note that (from the users point of view) Samba4 does implement
> > dynamic inheritance, its just that what happens is the client
> > transparently walks the tree and updates it for us, so I have a
> > working implementation to backup the above :-)
> >
> > Cheers, Tridge
> >
> >
> >
> email message attachment
> On Tue, 2006-03-14 at 04:07 -0800,
> samba-technical-request at lists.samba.org wrote:
> > On Tue, Mar 14, 2006 at 10:31:43PM +1100, tridge at samba.org wrote:
> > > Christoph,
> > >
> > > > I think you are missing one distinctive difference in the
> > semantics of
> > > > nfsv4 and windows acl: inheritance! afaik nfsv4 uses static
> > inheritance
> > > > (acls are inherited only at file creationt time) and windows
> > uses a
> > > > semi-dynamic model (acls are inherited at the time they are
> > set).
> > > > Applications that rely on one behaviour may do strange things!
> > >
> > > I am a little skeptical about this. I know that Microsoft docs
> > talk
> > > about this type of dynamic inheritance, but when I went to
> > implement
> > > it in Samba4 I failed to reproduce it in windows->windows testing
> > > (using win2003). What I saw instead was that the windows client
> > would
> > > walk the file tree under the directory and update the ACLs
> > manually
> > > guided by the various inheritance flags.
> > >
> > > Try as I might to make windows do true dynamic inheritance, where
> > an
> > > update to a directory acl is immediately visible elements within
> > the
> > > directory without a tree walk I didn't see it.
> >
> > Yes, we are taliking about the same thing. Thats why i said
> > semi-dynamic
> > and applied at the time the ace is set, and not when the actual
> > access
> > check happens! But as this behaviour is not exposed to the windows
> > user (he
> > always has the feeling he's working on a fully dynamic inheritng
> > fs),
> > and should be obeyed by applications (don't allows users to delete
> > inherited aces and propagate new aces in the tree) this makes no
> > difference.
> >
> > Chris
> >
> >
> >
More information about the samba-technical
mailing list