[Samba] POSIX vs. Windows ACLs
jra at samba.org
Tue Nov 2 20:14:50 UTC 2021
On Tue, Nov 02, 2021 at 03:00:54PM -0500, Patrick Goetz via samba wrote:
>Thanks, Jeremy; that was extremely informative.
>So thinking out loud a bit. I've been looking at the AGDLP permissions
>design pattern espoused by many of the Windows AD people. At first I
>didn't think much of this until I heard someone point out that this is
>a way to avoid having to mess with your filesystem ACLs, which perked
>my interest, as I've spent what I would consider way too much time
>fine tuning ACLs on multi-user systems with beyond POSIX basic
>For the benefit of those not familiar with AGDLP, this stands for
> A - Accounts
> G - Global Security Groups
> DL - Domain Local Security Groups
> P - Permissions (on resources)
>The idea is that you set up permissions on, let's say, a directory
>resource for domain local groups, and then never touch them again.
>You then grant/deny access to this folder by moving global groups in
>and out of the affiliated domain local groups.
>So, it would work like this:
>I have a directory called /data/experiments/
> - One group of users should have only read access
> - Another group should have read and write access
>So I create 2 domain local security groups: data-experiments-r, and
>data-experiments-rw and set the appropriate ACLs for these groups on
>the /data/experiments folder (using POSIX or Windows ACLs).
>Right now bob, alice, ted, and jane should have rw access, and
>bill, steve, sally, frieda, and nick should only have r access.
>So I create a global group called G-pi-grad containing bob, alice,
>ted, and jane, and another global group called G-students containing
>bill, steve, sally, frieda, and nick.
>I then add G-pi-grads to data-experiments-rw and G-students to
>Let's say right now nick is a student assistant, so shouldn't have
>write access to experiments. But he graduates and becomes a grad
>student with his own experiments to run. No problem, I move nick from
>G-students to G-pi-grads.
>We start a collaboration with people from another lab, biff, boff, and
>boof. We'd like to give them read access to the experiments. No
>problem, I create another global group called G-baff-lab containing
>biff, boff, and boof, and then add the G-baff-lab group to the
>data-experiments-r DL group. When the collaboration is over, I remove
>G-baff-lab from data-experiments-r.
>Notice I haven't touched the filesystem ACLs in all of this and don't
>plan to have to -- ever.
>I think the original intention of this was to make it easier to share
>resources across domains, although the group types are horribly
>misnamed. "Global" groups are domain specific, and can only contain
>users/groups from a particular domain, while "Domain Local" groups can
>contain Global groups from any domain. Um, what?
>For those in need of the finer granularity offered by Windows ACLs,
>one could envision creating DL groups for each required combination of
>ACLs, and perhaps even deny groups because, say, you want everyone in
>100 member G-labusers group to have write access to /important-stuff
>except for Jack, because he keeps getting drunk and accidentally
>deleting files in that folder, so jack would go in the
>data-experiments-d for deny group, which overrides G-labusers
>These *seems* like it would get unmanageable fast, but in real life
>how granular do most admins make these permissions anyway? I daresay
>that because many admins don't fully understand Windows ACLs, they
>keep it simple and could likely get by with what would be POSIX basic
>ACLs in the linux world. Anyone familiar with any small offices where
>everyone in the office has write access to every file in a giant
>shared filesystem? I do. <:)
>Any thoughts on this? My thought is this would allow me to stick to
>the POSIX ACLs I'm comfortable with and which afford easy ssh-fuse
>access to linux users at a remote location technically under an
>unaffiliated domain. To use Windows ACLs on linux, I would need to
>have each linux machine bound to the domain, and at the moment I'm not
>sure that's feasible. And since the filesystem ACLs never change, I
>wouldn't want Windows users messing with them anyway.
>Based on what Jeremy said, I think it should be possible to convert
>from POSIX ACLs to Windows ACLs at a later date, if things change?
Samba will synthesise Windows ACLs from "raw" POSIX ACLs when
a Windows/Linux SMB2 client requests to read an ACL. So yes,
it's always possible to map from POSIX -> Windows.
More information about the samba