NT ACL / Security descriptor checking function
Cole, Timothy D.
timothy_d_cole at md.northgrum.com
Tue Feb 15 16:28:32 GMT 2000
> -----Original Message-----
> From: Michael Stockman [SMTP:pgmtekn-micke at algonet.se]
> Sent: Thursday, February 10, 2000 20:27
> To: Multiple recipients of list SAMBA-TECHNICAL
> Subject: Re: NT ACL / Security descriptor checking function
>
> Is RID really the way to go??? Access checks in samba has so far been
> POSIX, RID would break this (and create vast amounts of headache when
> samba can properly understand the difference between local accounts
> and remote accounts, unless RID means SID).
>
> I think we should create our ACL implementation aiming on (future?)
> file support too (one ACL support for all ACLs) and thus have and
> internal POSIX based ACL which can map both UNIX ACLs and NT ACLs.
>
> Yes, I'm aware that doing it properly will take some time, but if you
> count two days for a hack and two years for someone to get round to a
> proper implementation that meets all requirements, which is the
> longest?
>
Honestly, I think it's best to use NT ACLs for NT-specific
interfaces (most of TNG, the rpc stuff certainly, NT setacl SMBs), and then
have a generic ACL facility (abstracting native ACLs) for non-NT specific
areas. Otherwise, you end up translating ACLs needlessly, and it's lossy,
too.
The generic ACL facility (plus NT mapping) is something I've been
doing work on here, I just need to get an OK to release it. The SID<->posix
id mapping stuff I've been doing on my own time.
The one big gap remaining is what luke needs here -- APIs to check
and mainipulate NT ACLs.
More information about the samba-technical
mailing list