[PATCH] Patches required for POSIX ACL support of GPOs

Jeremy Allison jra at samba.org
Fri May 11 01:58:19 MDT 2012

On Thu, May 10, 2012 at 08:37:38PM +1000, Andrew Bartlett wrote:

> For the normal case, when we start having IDMAP_BOTH in general, we need
> to be very careful - any change to the POSIX -> NT mapping will disrupt
> the hash we store in the NT ACL, as it is the hash of the NT mapping of
> the POSIX ACL, not the hash of the POSIX ACL!  This will mean that the
> NT ACL will be ignored (as it will appear that the POSIX ACL has
> changed).  I think this was a very poor design choice, but we can't undo
> that now. 

Remember that the only thing we can guarentee to get back
from the lower layer is a NT mapping from the underlying
system. The underlying system may not be a POSIX ACL at
all, it may be a GPFS ACL, or a ZFS ACL or any number of
other types of object. So how could we hard-code a hash of
the POSIX ACL here ?

Hashing the NT mapping was the only possible choice.


More information about the samba-technical mailing list