Supporting SACLs using EAs and a VFS module?

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Mar 15 12:45:53 GMT 2006

On Wed, Mar 15, 2006 at 02:32:13PM +1100, tridge at wrote:
> I broke it up a little in Samba4, so that the NT ACL goes in a
> separate security.NTACL xattr, the EAs go in user.DosEAs and the file
> attributes go in user.DosAttrib.

With "NT ACL" you mean the complete one, including owner
info and the SACL?

> So for the SACL data, that would logically be added to security.NTACL,
> by extending the IDL and adding a new version (see the IDL switch in
> my last email).

Hmmm. Is that necessary? If we put in the complete secdesc
it contains both. It would also provide a nice
infrastructure for Samba3 to do full NT (d)acls eventually.

> As you suggested, I put all the file attribute data (timestamps etc)
> in user.DosAttrib as they tend to be all used at once. Clients ask for
> a qfileinfo call, and that needs all (or nearly all) of the
> attributes, so grouping them makes sense.
> For the example like a create time stamp that isn't needed, there is a
> flags field, and we can define a flag that says "this field is not
> used". That should make it easy to enable/disable features without
> breaking existing EAs in filesystems.

Ok. Looks good.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list