Registry Shares?

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Nov 22 14:20:52 GMT 2006

On Wed, Nov 22, 2006 at 09:11:07AM -0500, simo wrote:
> uhmm a set of deny aces first (invalid users) and then a set of allow
> aces (valid users), is what comes to mind.

Sure, that's one approach. But then you also have "hosts
allow". How do you represent that as a security descriptor?

> I know that some configuration of ACLs where deny entries are after some
> allow one would not match, but nobody do that afaik, and we can probably
> just limit it and document it.

I'd like to see a concrete proposal first :-)

With ACLs there have been *many* attempts to sanitize them,
and so far not many have produced usable results :-)

> I think my main concern is about ACLs right now, we can probably keep
> everything else more or less the same, but I'd like to take the chance
> to cleanup stuff as we go if possible.

Again: Feel free.

I will concentrate on the smb.conf mechanics first, if we
later on dump the 'valid users' in exchange for something
better, this is independent of it I think.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list