TrustedBSD Supports Windows NT ACLs With Samba

Anonymous Coward writes "Chris Faulhaber, one of the TrustedBSD developers, announced on the trustedbsd-discuss mailing list that Samba's POSIX.1e ACL support is now working on FreeBSD 5.0-CURRENT, and even has a screen shot. This has been a high-demand feature, apparently, and could be a big selling point for sites currently running Windows NT as their enterprise operating system.

Date: Tue, 24 Apr 2001 19:17:52 -0400
From: Chris Faulhaber <jedgar@fxp.org>
To: trustedbsd-discuss@TrustedBSD.org
Subject: Native ACL support for Samba

With the release of Samba 2.2.0, samba offers ACL support to remote clients. I just committed the changes to the FreeBSD CVS tree required to allow Samba to access the FreeBSD ACLs. With an updated -current system and samba-devel port (define WITH_ACL_SUPPORT), Windows NT 4.0 and 2000 clients can now remotely manipulate ACLs. Testing and comments are appreciated.

In addition, the ACL utilities, getfacl and setfacl, have been updated to fully make use of the ACL editing library. They should compile on most ACL-enabled systems (tested on Linux + ACL patches) with little or no change."

ACLs on Linux?

What's the state of ACL support with Linux? I heard that they were kinda-supported in 2.2 but not stored in the file system - what's it like with 2.4, and can Samba use them?

Is this a first for TrustedBSD, or can you get the same ACL support with Solaris, Linux or other 'nixes?

Re:Just what the doctor ordered...

The problem with the NetApp implementation is that if you change the unix perms it blows away the set NT perms. The solution I coded for Samba maps the NT perms into POSIX ACLs so the two co-exist.

Of course the NetApp solution gives full NT ACL semantics, whereas the Samba solution doesn't, but I think the Samba solution gives better UNIX/NT integration.

Also I don't know any NT admins who understand the full NT ACL semantics :-) :-).

Cheers,

Jeremy Allison,
Samba Team.

Re:Is it really good?

> In my experience, most users of NT-based systems do not use ACLs

Correct, admins use them, and when done properly, the users never know differently. Users still have uses for ACL's too, and it's really this simple, a question I got at least once a week when doing support for Sun: how to share some files of yours with a co-worker so he can read them but not change them, and with another co-worker that can read and write them (or some other combination of accesses). Answer: set up an ACL (no, we do not create groups every time there's a request for this kind of sharing). Thankfully dtfm could do one thing right, and that was manage ACL's with slightly less pain than manually using setfacl.
--

Mirror of screen shot available

at my site [johncglass.com]. Be sure to look around! I need a new job - see if you can offer me one. [johncglass.com]

Re:ACLs in NT

Does anyone actually bother to use them?

I don't use them on my home machines, but I often wish I had - and that is with two users, both of whom know the root password.

When I did sysadmin type stuff I used them extensively.

NT ACLs are very usefull since if you run IIS the file permissions map right through to the web server.

I agree however with a point raised by Butler Lampson several times, ACLs are a pain to manage they should not apply to files. Instead individual users should be allowed to define named access policies via an ACL and then apply the policy to the file.

What this would mean is that if you decide to kick Alice off the system you can revoke all her ACLs at one time, or if you decide to give her special privs you can do it all in one.