[Samba] Inheritance of ACLs with Samba

Miguel Medalha miguelmedalha at sapo.pt
Tue Dec 2 02:36:08 GMT 2008

Jeremy Allison wrote:
> On Mon, Dec 01, 2008 at 09:00:15PM +0000, Miguel Medalha wrote:
>> I thought that since Samba sits between the network and the unix kernel,  
>> there would be a way to do a complete Windows ACL implementation through  
>> a Virtual File System seen only by Samba and the Windows clients. The  
>> document by Andrew Tridgell "Towards full NTFS semantics in Samba" also  
>> seems to point in that direction... The Samba VFS would be responsible  
>> for keeping the Windows-compatible Access Control Lists, using the  
>> normal unix permissions on the unix filesystem side. The POSIX ACLs  
>> would be replaced by a new layer by which Samba would be the sole  
>> responsible.
> Sounds great, until you want NFS access as well (everyone does,
> you know). Now what ? We have deny ACE's on the Windows side
> which are completely ignored by the NFS or local side. Works
> for an embedded box only exporting CIFS, not so good for everyone
> else.
I understand.

Of course you are the expert here, but nevertheless let me dare to tell 
you this:

I think that such a module, perhaps *as an option* -- even discarding 
NFS -- would appeal to many people and would greatly increase the use of 
Linux servers at many places. After all, wasn't Samba intended to 
connect Windows to *nix from the beginning? "Opening W/w-indows to a 
wider world"? Most people I know use Samba in order to have a Linux 
machine serving Windows clients, not because of NFS.

Then, after all, why not provide different hooks (or would it be 
different daemons?) when using CIFS and NFS concurrently? The unix 
filesystem would remain intact as it is, only viewed from the outside 
would the filesystem look different according to the connected client. 
That would provide both CIFS and NFS semantics, since the Samba daemon 
would sit in the middle translating things to and from the kernel.

Does this make any sense?

Well, thank you again for your patience.
Best regards to you!

More information about the samba mailing list