[PATCH] Patches required for POSIX ACL support of GPOs
jra at samba.org
Fri May 11 01:58:19 MDT 2012
On Thu, May 10, 2012 at 08:37:38PM +1000, Andrew Bartlett wrote:
> For the normal case, when we start having IDMAP_BOTH in general, we need
> to be very careful - any change to the POSIX -> NT mapping will disrupt
> the hash we store in the NT ACL, as it is the hash of the NT mapping of
> the POSIX ACL, not the hash of the POSIX ACL! This will mean that the
> NT ACL will be ignored (as it will appear that the POSIX ACL has
> changed). I think this was a very poor design choice, but we can't undo
> that now.
Remember that the only thing we can guarentee to get back
from the lower layer is a NT mapping from the underlying
system. The underlying system may not be a POSIX ACL at
all, it may be a GPFS ACL, or a ZFS ACL or any number of
other types of object. So how could we hard-code a hash of
the POSIX ACL here ?
Hashing the NT mapping was the only possible choice.
More information about the samba-technical