[PATCH] Fix for XDR Backend of NFS4ACL_XATTR module to get it working with NFS4.0 ACL Spec

Andrew Bartlett abartlet at samba.org
Fri Sep 7 18:16:23 UTC 2018

On Fri, 2018-09-07 at 14:34 +0200, L.P.H. van Belle via samba-technical 
> Hai, 
> Sorry to intrude this.. But please read my notes. 
> > > 
> > > @Andrew
> > > Please guide if we can find any other way to distinguish between
> > > group SID and individual user SID to get the access control right
> > > with NFS4 ACL plugin. Without this, the plugin is not practically
> > > usable in AD environment. Can we tweak winbind configuration to
> > > return different uid and gid?
> > 
> > You need to assume that a SID can be both a user and a group, if
> > winbind says so.  In that case the user component 'owns' the file (if
> > it is the owner) and the gid is given group rights. 
> > 
> > This also happens in particular for domain admins, which often owns
> > files but is of course a group, for group policy in sysvol.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> This "asumption" of Andrew is in my opinion wrong. 
> I'll explain. 
> I hope he did mean or : DOMAIN\Administrators or ( which is the same as ) BUILTIN\Administrators 
> But no DOMAIN\Domain Admins is used on sysvol in "FILE/SHARE" rights. 
> "Domain admins" is member of the above group BUILTIN\Administrators and inherits it rights. 

For this purpose it doesn't matter.  Neither the group nor the alias
are users, but they need to be able to own files.

In Windows, a group can own a file.

Likewise, a user can be expressed only as a group if it becomes part of
sidHistory due to a domain migration.

At this level, that is the critical point, not the specific group.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list