[Samba] Full wNT/w2K ACL conformance

José Luis Tallón jltallon at adv-solutions.net
Wed Jun 18 10:27:42 GMT 2003

I Hate to reply myself, but since noone answered ...

>We are planning to replace a quite big domain running W2K with Samba ( at 
>the very least, the DC ).
>Though i'd love to have the extra security capabilities of W2K ( Kerberos 
>) as a DC, Samba/NT4 as PDC/BDC with ldapsam will more than suffice for now.
>The show-stopper right now is this: we need to be able to assign "real" 
>Full Control permissions: a user who has "Full control" on a directory 
>should be able to Read, Write, eXecute ( of course) [ this can be easily 
>achieved with ACLs ]  *plus*  being able to give away Full Control to 
>other users too [ being able to override inherited ACLs would be a plus, 
>too ]. Is this feasible (remember smbd runs as root... )? Has somebody 
>though about implementing this ?

Seems like every implementation of ACL comes together with Extended 
Attributes support ( at least Ext2/ext3, XFS, ReiserFS ). Any exceptions ?
How about using one EA to map some Windows' attributes ? Full Control, 
Archive ( though it can be emulated through ctime/atime/mtime ), Change 
Only, come in a first pass over this.

>I thought that maybe coding a wrapper around SecLib could achieve this. 
>Being quite fluent in C/C++ both in Un*x as well as Win32 I don't mind 
>coding whatever tool is needed to achieve this, provided it is indeed 
>possible. If not, some suggestions/comments ( or even an approximate 
>timeline for implementation! ) would be more than welcome.

Any comments on this??

>Thanks in advance everybody.
>Keep the good work, Samba Team!
>Kind regards,
>         J.L.
>To unsubscribe from this list go to the following URL and read the
>instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list