NT ACL code

[ZINKEVICIUS,MATT (HP-Loveland,ex1)]

There was some traffic on samba-tech lately about the status of my (or
rather HP's) NT ACL code for samba, so I'll try to shed some light it.

The code as it currently exists provides:
- Storage of NT security descriptors and DOS attributes in a TDB
(configurable per share)
- Performs permission mapping between NT<->UNIX permissions
- Attempts to mimic (mostly undocumented) NT security semantics all the way
down to the access rights. Samba's current NT ACL code just translates them
to UNIX perms or POSIX ACLs, and then uses UNIX semantics to gate file
access. This code is still experimental and has known limitations. Currently
this is implemented at samba's VFS layer, but as I have discussed with
Jeremy, there really needs to be a SMB-level VFS as well which would solve
all of the current limitations.
- Full auto-propagation (aka Win2K style) inheritance support, including
generic SIDs.
- Command line tool to modify ACLs and facilitate backups.

I am currently working on adding:
- Pluggable backend for different methods of storing NT security data.
     - TDB database module (Requires a daemon to gaurd against certain race
conditions)
     - Linux XFS extended attributes module
     - Linux ext2/ext3 extended attributes module
- New and improved method of propagating inheritance (Much much faster than
NT!)
- Possibly move security enforcement from VFS to actual nttrans/reply calls.

The old code will not be released publically (don't blame me). And before
you ask Jeremy, it was never released in a product :-) The code I'm
currently working on will be released publically once finished. ETA of 4-8
weeks.

Matt Zinkevicius
Network Storage Array Solutions
Hewlett-Packard