Current approaches to ACL handling

Christopher R. Hertel crh at
Mon Oct 1 13:26:04 MDT 2012

On 10/01/2012 02:22 PM, simo wrote:
> On Mon, 2012-10-01 at 12:19 -0700, ronnie sahlberg wrote:
>> On Mon, Oct 1, 2012 at 11:57 AM, Christopher R. Hertel <crh at> wrote:
>>> On 10/01/2012 01:52 PM, Jeremy Allison wrote:
>>>> On Mon, Oct 01, 2012 at 02:42:51PM -0400, simo wrote:
>>>>> On Mon, 2012-10-01 at 13:28 -0500, Christopher R. Hertel wrote:
>>>>>> What are the current best practices for ACL handling?
>>>>>> To my knowledge, it's using EAs to store the ACLs.  Is there any
>>>>>> in-depth
>>>>>> documentation on this implementation?  Are there any other mechanisms in
>>>>>> use?
>>>>> We store the Windows ACL in an EA and a matching posix ACL translation
>>>>> on the file, plus a sha hash of the ACL so we can be sure they are in
>>>>> sync.
>>>>> I am not aware of any other doc beyond the code.
>>>> Well there are some SambaXP talks on it I did a while ago :-).
>>>> Sorry.
>>> I'll look at the code and your talks.  Those are the kinds of pointers I
>>> needed.
>>> Is there any reason to even consider the possibility of thinking about
>>> pondering the idea of toying with the concept of somehow using TDB (CTDB) to
>>> manage ACLs, or is that not a particularly rational approach?
>> I think TDBs would be problematic since with one permanent record for
>> each file, and say
>> a few billion files, the TDB would become huge. As in >>TB size huge.
>> You would also have the problem of single point of failure.  That TDB
>> file goes bad, you now lost all ACLs for all your files.
> Backups would also be problematic, ACLs and actual files would end up
> being backed up at potentially very different times, allowing for
> incomplete or mismatching backups of ACLs.

All good reasons against. now I just need to ensure the consistency of EA's across a cluster.  :)


Chris -)-----

"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team --     -)-----   Christopher R. Hertel
jCIFS Team --   -)-----   ubiqx development, uninq.
ubiqx Team --     -)-----   crh at
OnLineBook --    -)-----   crh at

More information about the samba-technical mailing list