idra at samba.org
Wed Nov 22 14:11:07 GMT 2006
On Wed, 2006-11-22 at 15:03 +0100, Volker Lendecke wrote:
> On Wed, Nov 22, 2006 at 08:12:42AM -0500, simo wrote:
> > > Yes, I'll keep it that way. You always have the share
> > > secdesc on top of it.
> > This the point, why keeping 2 conflicting access control mechanisms?
> > Why not merging them? As we change the interface we can also change
> > behavior without backward compatibility problems, and fix problems we
> > historically had.
> Because I think that "valid users" is just too simple and
> straight foward to use to dump it. And I don't think there
> is a canonical way to convert a valid/invalid users line etc
> into a security descriptor or vice versa.
uhmm a set of deny aces first (invalid users) and then a set of allow
aces (valid users), is what comes to mind.
I know that some configuration of ACLs where deny entries are after some
allow one would not match, but nobody do that afaik, and we can probably
just limit it and document it.
> > > Sure. But this should be doable I think. We already have
> > > some samba3 mapping layers in samba4 for other things, so if
> > > we agree the basic registry model is sane for smb.conf, this
> > > should be presentable in a compatible way in samba4 as well.
> > Oh well, sure, but it would be a bit silly to introduce something new
> > now and then have to emulate it in samba4 to make it compatible with
> > samba3.
> Do you have in mind to radically change the configuration
> for Samba4 shares? I mean, the current .ini style file has
> served us well for ages, and I don't see any reason to
> change it, at least not from the sharename/keyname/value
> concept point of view. And if you look at it, the registry
> is just a .ini file on steroids.
> So in case you don't plan to change the .ini style
> configuration, then the registry is a perfect match for it.
> Maybe I'm in Samba conf files for too long, but I have a
> hard time imagining something radically enough different for
> defining shares that we can not just proceed with this "one
> key per share, one value per param" model.
I think my main concern is about ACLs right now, we can probably keep
everything else more or less the same, but I'd like to take the chance
to cleanup stuff as we go if possible.
If you feel strong on something, we can simply discuss about it and see
what most people want, I am not too strong on anything.
Samba Team GPL Compliance Officer
email: idra at samba.org
More information about the samba-technical