[PATCH] Patches required for POSIX ACL support of GPOs

Andrew Bartlett abartlet at samba.org
Fri May 11 02:03:54 MDT 2012

On Fri, 2012-05-11 at 00:58 -0700, Jeremy Allison wrote:
> On Thu, May 10, 2012 at 08:37:38PM +1000, Andrew Bartlett wrote:
> > For the normal case, when we start having IDMAP_BOTH in general, we need
> > to be very careful - any change to the POSIX -> NT mapping will disrupt
> > the hash we store in the NT ACL, as it is the hash of the NT mapping of
> > the POSIX ACL, not the hash of the POSIX ACL!  This will mean that the
> > NT ACL will be ignored (as it will appear that the POSIX ACL has
> > changed).  I think this was a very poor design choice, but we can't undo
> > that now. 
> Remember that the only thing we can guarentee to get back
> from the lower layer is a NT mapping from the underlying
> system. The underlying system may not be a POSIX ACL at
> all, it may be a GPFS ACL, or a ZFS ACL or any number of
> other types of object. So how could we hard-code a hash of
> the POSIX ACL here ?

Easy: ask for a hash of the ACL as a distinct VFS operation.  Then the
type of ACL doesn't matter, just the returned value. 

> Hashing the NT mapping was the only possible choice.

I strongly disagree.  

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list