[PATCH] Patches required for POSIX ACL support of GPOs
abartlet at samba.org
Fri May 11 02:03:54 MDT 2012
On Fri, 2012-05-11 at 00:58 -0700, Jeremy Allison wrote:
> On Thu, May 10, 2012 at 08:37:38PM +1000, Andrew Bartlett wrote:
> > For the normal case, when we start having IDMAP_BOTH in general, we need
> > to be very careful - any change to the POSIX -> NT mapping will disrupt
> > the hash we store in the NT ACL, as it is the hash of the NT mapping of
> > the POSIX ACL, not the hash of the POSIX ACL! This will mean that the
> > NT ACL will be ignored (as it will appear that the POSIX ACL has
> > changed). I think this was a very poor design choice, but we can't undo
> > that now.
> Remember that the only thing we can guarentee to get back
> from the lower layer is a NT mapping from the underlying
> system. The underlying system may not be a POSIX ACL at
> all, it may be a GPFS ACL, or a ZFS ACL or any number of
> other types of object. So how could we hard-code a hash of
> the POSIX ACL here ?
Easy: ask for a hash of the ACL as a distinct VFS operation. Then the
type of ACL doesn't matter, just the returned value.
> Hashing the NT mapping was the only possible choice.
I strongly disagree.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical