[Samba] Inheritance of ACLs with Samba
jra at samba.org
Mon Dec 1 22:35:41 GMT 2008
On Mon, Dec 01, 2008 at 09:00:15PM +0000, Miguel Medalha wrote:
> I thought that since Samba sits between the network and the unix kernel,
> there would be a way to do a complete Windows ACL implementation through
> a Virtual File System seen only by Samba and the Windows clients. The
> document by Andrew Tridgell "Towards full NTFS semantics in Samba" also
> seems to point in that direction... The Samba VFS would be responsible
> for keeping the Windows-compatible Access Control Lists, using the
> normal unix permissions on the unix filesystem side. The POSIX ACLs
> would be replaced by a new layer by which Samba would be the sole
Sounds great, until you want NFS access as well (everyone does,
you know). Now what ? We have deny ACE's on the Windows side
which are completely ignored by the NFS or local side. Works
for an embedded box only exporting CIFS, not so good for everyone
Kernel support for Windows ACLs would fix this, but few people
in the Linux kernel world want this. You can complain about it, but
there it is.
NFSv4 ACLs are close, and we'll map to them when available, but
NFSv4 ACLs are not Windows ACLs.
> Weren't the POSIX ACL drafts withdrawn before becoming a standard? I
> suppose that they are in use because the drafts contain useful work and
> they are reasonable. Windows ACLs are not a standard either (or are even
> much less of a standard than the POSIX ones) but they are reasonable and
> correspond pretty much to what is required by today's computing needs.
They are familier to admins, nothing more. I would be willing to
bet (good money too :-) that no Windows admin could predict the behavior
as determined by S4 smbtorture of how Windows ACLs *actually* behave.
It surprised the hell out of me :-).
> They became a "de facto" standard. And since Samba is supposed to
> interface unix systems to Windows and serve Windows clients... I am sure
> that many, many unix machines are only used as Samba to Windows servers
> and never receive direct user logon or unix clients.
That may be your scenario, but it isn't everyones. We'll
try and make Samba work well in your particular case, but
not at the cost of messing it up for everyone else.
More information about the samba