[Samba] POSIX vs. Windows ACLs

Jeremy Allison jra at samba.org
Tue Nov 2 20:14:50 UTC 2021

On Tue, Nov 02, 2021 at 03:00:54PM -0500, Patrick Goetz via samba wrote:
>Thanks, Jeremy; that was extremely informative.
>So thinking out loud a bit. I've been looking at the AGDLP permissions 
>design pattern espoused by many of the Windows AD people. At first I 
>didn't think much of this until I heard someone point out that this is 
>a way to avoid having to mess with your filesystem ACLs, which perked 
>my interest, as I've spent what I would consider way too much time 
>fine tuning ACLs on multi-user systems with beyond POSIX basic 
>security requirements.
>For the benefit of those not familiar with AGDLP, this stands for
>  A  - Accounts
>  G  - Global Security Groups
>  DL - Domain Local Security Groups
>  P  - Permissions (on resources)
>The idea is that you set up permissions on, let's say, a directory 
>resource for domain local groups, and then never touch them again.
>You then grant/deny access to this folder by moving global groups in 
>and out of the affiliated domain local groups.
>So, it would work like this:
>I have a directory called /data/experiments/
> - One group of users should have only read access
> - Another group should have read and write access
>So I create 2 domain local security groups:  data-experiments-r, and 
>data-experiments-rw and set the appropriate ACLs for these groups on 
>the /data/experiments folder (using POSIX or Windows ACLs).
>Right now bob, alice, ted, and jane should have rw access, and
>bill, steve, sally, frieda, and nick should only have r access.
>So I create a global group called G-pi-grad containing  bob, alice, 
>ted, and jane, and another global group called G-students containing 
>bill, steve, sally, frieda, and nick.
>I then add G-pi-grads to data-experiments-rw and G-students to 
>Let's say right now nick is a student assistant, so shouldn't have 
>write access to experiments. But he graduates and becomes a grad 
>student with his own experiments to run.  No problem, I move nick from  
>G-students to G-pi-grads.
>We start a collaboration with people from another lab, biff, boff, and 
>boof. We'd like to give them read access to the experiments.  No 
>problem, I create another global group called G-baff-lab containing 
>biff, boff, and boof, and then add the G-baff-lab group to the 
>data-experiments-r DL group.  When the collaboration is over, I remove 
>G-baff-lab from data-experiments-r.
>Notice I haven't touched the filesystem ACLs in all of this and don't 
>plan to have to -- ever.
>I think the original intention of this was to make it easier to share 
>resources across domains, although the group types are horribly 
>misnamed. "Global" groups are domain specific, and can only contain 
>users/groups from a particular domain, while "Domain Local" groups can 
>contain Global groups from any domain. Um, what?
>For those in need of the finer granularity offered by Windows ACLs, 
>one could envision creating DL groups for each required combination of 
>ACLs, and perhaps even deny groups because, say, you want everyone in 
>100 member G-labusers group to have write access to /important-stuff 
>except for Jack, because he keeps getting drunk and accidentally 
>deleting files in that folder, so jack would go in the 
>data-experiments-d for deny group, which overrides G-labusers 
>These *seems* like it would get unmanageable fast, but in real life 
>how granular do most admins make these permissions anyway? I daresay 
>that because many admins don't fully understand Windows ACLs, they 
>keep it simple and could likely get by with what would be POSIX basic 
>ACLs in the linux world. Anyone familiar with any small offices where 
>everyone in the office has write access to every file in a giant 
>shared filesystem?  I do. <:)
>Any thoughts on this? My thought is this would allow me to stick to 
>the POSIX ACLs I'm comfortable with and which afford easy ssh-fuse 
>access to linux users at a remote location technically under an 
>unaffiliated domain. To use Windows ACLs on linux, I would need to 
>have each linux machine bound to the domain, and at the moment I'm not 
>sure that's feasible. And since the filesystem ACLs never change, I 
>wouldn't want Windows users messing with them anyway.
>Based on what Jeremy said, I think it should be possible to convert 
>from POSIX ACLs to Windows ACLs at a later date, if things change?

Samba will synthesise Windows ACLs from "raw" POSIX ACLs when
a Windows/Linux SMB2 client requests to read an ACL. So yes,
it's always possible to map from POSIX -> Windows.

More information about the samba mailing list