[Samba] Inheritance of ACLs with Samba

Miguel Medalha miguelmedalha at sapo.pt
Mon Dec 1 21:00:15 GMT 2008

>> I can't wait until Samba gets a proper Windows ACL implementation
>> (through the VFS?)
> No, it'll be done by MAGIC elves, which will add meta-data
> and kernel changes to POSIX filesystems to support them
> without *any* kernel code changes.... :-).
Well, in my post I warned that I am not an experienced user of Samba, 
much less a knowledgeable one. I see myself, though, as a reasonable and 
rational person. As such, I can understand things when they are 
explained to me.

Of course, the kernel code changes would be the ideal thing, and frankly 
I don't quite understand why they weren't done yet, after all these 
years. They are lagging at least ten years. Why? Operating system 
religious wars? One of the unnoficial Samba HOWTOs circulating on the 
Net, still updated  to this day, continues to promote a quotation by 
Linus Torvalds in which he blasts Microsoft for the obvious flaws with 
Windows 95 and 98. Come on, people, let's move on! The Open Source world 
should depend less on the criticism of Microsoft and should rely more on 
its own relevance and internal dynamics.

I thought that since Samba sits between the network and the unix kernel, 
there would be a way to do a complete Windows ACL implementation through 
a Virtual File System seen only by Samba and the Windows clients. The 
document by Andrew Tridgell "Towards full NTFS semantics in Samba" also 
seems to point in that direction... The Samba VFS would be responsible 
for keeping the Windows-compatible Access Control Lists, using the 
normal unix permissions on the unix filesystem side. The POSIX ACLs 
would be replaced by a new layer by which Samba would be the sole 

>> and we get done with this POSIX ACL thing (which by
>> the way is not even a ratified standard...).
> Wow, didn't know that ! Could you point me to the
> ratified standard for Windows ACLs please ?
Weren't the POSIX ACL drafts withdrawn before becoming a standard? I 
suppose that they are in use because the drafts contain useful work and 
they are reasonable. Windows ACLs are not a standard either (or are even 
much less of a standard than the POSIX ones) but they are reasonable and 
correspond pretty much to what is required by today's computing needs. 
They became a "de facto" standard. And since Samba is supposed to 
interface unix systems to Windows and serve Windows clients... I am sure 
that many, many unix machines are only used as Samba to Windows servers 
and never receive direct user logon or unix clients.

I saw a bit  of a flame in your answer; please excuse me if I am boring 
with these questions or if I am just showing my ignorance, which perhaps 
I am. If so, just don't bother answering me. But please note that I see 
Samba as a VERY important work, one that the world of computing wouldn't 
do without. I use it, and the more I use it the more I prize it. Do I 
think it cannot be improved? Of course not. Neither do you, I am sure.

On reading this, please bear in mind that I am not a native English 
speaker and it is possible that I don't express myself in the best way.
Thank you for your work with Samba and again for your attention

More information about the samba mailing list