Steve French <smfrench@xxxxxxxxx> writes: > Where I would like to get to is that we focus strongly on only the > first two common use cases: > 1) "client focused perm checks" - get/set mode from special SID > (server permission checks are not important in this case) > 2) "server focused perm checks" - get/set the three ACEs > (user-owner/group-owner/EVERYONE) in the ACL The 2) part is not really documented and is more complex than it seems. We know how the SID are created but not the actual ACL/ACE for each SID. I've almost completely reversed engineered it (except for the one bit). I've documented all here: https://github.com/aaptel/nfs-acl-test The is one permission -- the S (SYNCHRONIZE) flag -- which doesn't seem to be consistent in how it is granted/denied. But its purpose is not clear on files/dir so it's probably irrelevant: we just need to reimplement the unix_to_acl() func that I wrote. I've contacted dochelp regarding this, and here is what they have to say (note "UUUA" is Unmapped UNIX User Access): > I have been combing the source and could not find where a mapping is done yet for the mode > you are asking about. > > ... > > After conferring with our NFS experts, the key perspective that I’d like to share is that > we do document (outside of the protocol documents) that UUUA is intended for an end-to-end > NFS-only access. > The UUUA mode is intended for use when the Windows NFS Server is the only accessor to the > files. We make no statements as to the behavior of any other accessor or how they > can/should decode the DACL. > We do not expect a client to ever come across the NFS specific DACL in a well configured > system. > With that perspective, we had some archived content which describes some “Mapping of NFS > Mode Bits to Windows ACL”. To understand part of what Windows does under the hood, you > many find useful to consult the obsoleted [MS-FSSO] which is under Windows Protocols > Archive Documents. Keep in mind that archived documents are for “convenience” only. We do > not answer questions or service those types of documents. > [MS-FSSO]: File Access Services System Overview > https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/WinArchive/%5bMS-FSSO%5d.pdf Cheers, -- Aurélien Aptel / SUSE Labs Samba Team GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 21284 (AG Nürnberg)
