[NT ACLS] Using the security.* namespace for NTACL considered improper

Jeremy Allison jra at samba.org
Tue Jan 19 13:29:52 MST 2010

On Tue, Jan 19, 2010 at 09:18:34PM +0100, Volker Lendecke wrote:
> On Tue, Jan 19, 2010 at 12:10:19PM -0800, Jeremy Allison wrote:
> > > I think we should comply, and start moving NTACL to from security.NTACL
> > > to trusted.NTACL as soon as possible, before it get widely used.
> > > 
> > > What do you think ?
> > 
> > Raise a "blocker" bug in 3.5.0 to make sure we don't
> > ship a production release with this. Once we've shipped
> > there's no going back.
> > 
> > I'll make the change to "trusted.*" in the code, and
> > attach the change to the bug.
> We'll have to pull back all 3.3 and 3.4 installations as
> well.

Do you know of any production sites that are using this ?
The modules are still marked experimental, so I'm not aware
of any real use out there. Might be wrong though. Anyone out
there using vfs_acl_xattr please chime in. We'd have to write a
'net acl migrate' command to rename these attributes.

I'd forgotten this module shipped in 3.3.x and beyond (I've
been fixing it up so much for 3.5.0 that I'd forgotten what
the changes were based on :-).

> Why not leave it as it is. How likely is it that a Linux(!)
> kernel module conflicts with a name NTACL, except for the
> very purpose to interoperate with Samba?

Probably not. Hmmm. As we do have shipping code out there,
this is much more difficult than I originally thought.

Comments from users would be appreciated.


More information about the samba-technical mailing list