Slashdot Mirror
TrustedBSD Supports Windows NT ACLs With Samba
Anonymous Coward writes "Chris Faulhaber, one of the TrustedBSD developers,
announced on the trustedbsd-discuss mailing list that Samba's
POSIX.1e ACL support is now
working on FreeBSD 5.0-CURRENT, and even has a
screen shot.
This has been a high-demand feature, apparently, and could be a big
selling point for sites currently running Windows NT as their
enterprise operating system.
Date: Tue, 24 Apr 2001 19:17:52 -0400
From: Chris Faulhaber <jedgar@fxp.org>
To: trustedbsd-discuss@TrustedBSD.org
Subject: Native ACL support for Samba
With the release of Samba 2.2.0, samba offers ACL support to remote clients. I just committed the changes to the FreeBSD CVS tree required to allow Samba to access the FreeBSD ACLs. With an updated -current system and samba-devel port (define WITH_ACL_SUPPORT), Windows NT 4.0 and 2000 clients can now remotely manipulate ACLs. Testing and comments are appreciated.
In addition, the ACL utilities, getfacl and setfacl, have been updated to fully make use of the ACL editing library. They should compile on most ACL-enabled systems (tested on Linux + ACL patches) with little or no change."
How ironic -- in a story about TrustedBSD, you post your resume in M$ DOC format ;). Kidding aside, I'm also looking for a new job, in Web Development.
Alex Bischoff
---
Alex Bischoff
HTML/CSS coder for hire
+1 Insightful?
I don't even know what he's talking about with the anti-american stuff.
+1 Insightful
Metamod to the rescue!
Down that path lies madness. On the other hand, the road to hell is paved with melting snowballs.
I read the internet for the articles.
The VNC server for Windows is inefficient because it scans the screen for changes rather than working as a display driver and intercepting graphics calls. The original author (hi Tim) couldn't find a way to make it work as a driver in the limited time available to him.
btw, unix file control is a bit too broad without ACLs, at least in a fileservice role. ACLs are too complicated and annoying in dedicated roles (like webservice, DB, bastion host, etc) but for fileservers they're really handy.
:p)
I'd like to see even more options ala VMS or Novell, with read, write, execute, delete, modify, etc.. As an add-on of course, though an open-standard add-on (which is a big problem with ACLs: they're not standard yet
Your Working Boy,
- Otis (GAIM: OtisWild)
What's the state of ACL support with Linux? I heard that they were kinda-supported in 2.2 but not stored in the file system - what's it like with 2.4, and can Samba use them?
Is this a first for TrustedBSD, or can you get the same ACL support with Solaris, Linux or other 'nixes?
-- Ed Avis ed@membled.com
Ummm, correct me if I am wrong, but Linux was created my a non-American, and many many of Linux developers are non-American. Its the same thing on the BSD side as on any other open source OS. Its kinda dumb for a so called expert to have these feelings towards BSD for this reason but not towards other open source OSs and especally not towards closed source OSs. If you want to look for backdoors, the source is right there. If you think that someone has snuck backdoors into code that hundreds of people look at, you are kidding yourself. You should be more worried about those closed source OSs and programs which in the past have had backdoors. OpenBSD has been auditied to a great degree, which is more then what I can say for the Linux distributions or NT. I guess you are risking your income anyways recommending Linux or any piece of software that could have backdoors or simply security holes.
Matt
Why, could you back up your claim? What do you use instead of Samba on your company's unix box? I am guessing that you have never tried the BSDs and are a Linux newbie user or Windows 98 user. I guess that is all we can expect from an Anonymous Coward.
Does anyone actually bother to use them?
They are a pain to manage.
The problem with the NetApp implementation is that if you change the unix perms it blows away the set NT perms. The solution I coded for Samba maps the NT perms into POSIX ACLs so the two co-exist.
:-) :-).
Of course the NetApp solution gives full NT ACL semantics, whereas the Samba solution doesn't, but I think the Samba solution gives better UNIX/NT integration.
Also I don't know any NT admins who understand the full NT ACL semantics
Cheers,
Jeremy Allison,
Samba Team.
> In my experience, most users of NT-based systems do not use ACLs
Correct, admins use them, and when done properly, the users never know differently. Users still have uses for ACL's too, and it's really this simple, a question I got at least once a week when doing support for Sun: how to share some files of yours with a co-worker so he can read them but not change them, and with another co-worker that can read and write them (or some other combination of accesses). Answer: set up an ACL (no, we do not create groups every time there's a request for this kind of sharing). Thankfully dtfm could do one thing right, and that was manage ACL's with slightly less pain than manually using setfacl.
--
I've finally had it: until slashdot gets article moderation, I am not coming back.
My totally uninformed and madly speculative opinion is that it's like the POSIX layer in Windows NT - no one ever uses it, but it was added to achieve sufficient buzzword compliancy and allow sales to organizations which required support for that particular standard even if they didn't use it. I'm not saying that was the sole motivation behind this development, but it didn't hurt :)
Your right to not believe: Americans United for Separation of Church and
It looks to me like NT 4.0 with either the Plus Pack installed or IE 4 w/Active Desktop, or both. Or, it could be a very early (read "smuggled") build of NT 5.0. They had NT 5 on display at ITEC in early 1998, and it looked like that, with the Win98/Plus Pack "sexy" icons.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
this space intentionally left blank (oops)
If you have that many WindowsNT/2k file servers maybe you should be looking at something like a NetApp, rather than something like turning thme into a bunch of Linux boxes.
Samba has offered working as a PDC and offering Login-into-domain functionality (tested by me on Win95 / Win98 boxes) for ages. This is what defines what Unix user you create files as on the Samba share etc. and accordingly your permissions.
Did you read the story, you know the words at the top of the page? This story is about Samba using TrustedBSD's ACLs. Linus' Linux doesn't even support ACLs without flaky, third-party patches. The Extended Attributes and Access Control Lists for Linux FAQ says:
Q10 When will Posix ACLs be part of the kernel?
There are multiple steps to getting ACLs into the kernel. The first step, which we are heavily debating on the mailing lists right now, is how to design the system call interface for extended attributes and ACLs. The next step will be to include the extended attribute code into the kernel, or create even better extended attribute code for that purpose. Then, on top of that, we can include ACLs for the ext2 and ext3 filesystems. Other filesystems such as XFS be able to support ACLs directly, without needing extended attributes.
cpeterso
Sorry everyone but I don't have the bandwidth to serve the ACL screenshot to the world (was not expecting to be slashdotted :/). Mirrors welcome, though.
NT 4.0 sp6
If it's just file server space you're talking about, maybe you should consider something like a NetApp Filer. Native support for both NT ACLs and unix-type security as well, and you can get something like a terrabyte in a rack.
Some people may be seen as anti-american, just because some of you guys are so america-centric. That's always been a source of various reactions in the other country of the world (remember, the US is not the main part of the world ;) ).
Maybe they are simply america-independant people, don't you think so ?
Maybe you would think that they are pro-communist people, because you would like to (even if it's a non-sense to categorize people just by their political group).
Maybe the truth is that they don't care at all about such consideration... maybe they just want to develop their OS, with people motivated to participate, regardless of their country of origin or politic feeling.
If a russia OS was ever given to you with full source code, and if it was far better that any other OS known to the US. Would you even consider it?
Don't base your judgement on political/geographical propaganda.
You are a tech guy, that's your job. Look at the technical merits of the OS. If you want to, audit the products, or ask an american security auditing companie to do so. Every one would benefit.
Do you know that some major american-grown products did have backdoors (Interbase comes first to my mind)? what does this inspire you?
The solution to the problem is to tell the authors (which he did) that they messed up a tag. "Better" browsers don't automatically correct mistakes so that the author doesn't continue to produce those mistakes. Otherwise there is no consistency as to how -correct- HTML is rendered.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
I hope someone closes the italics tag kind of quickly, because it's tiring to read all of Slashdot with emphasis.
READ MORE! 289 of 500 comments, dammit!
Cheers,
levine
Interesting since for me Netscape 4.x was rendering it properly and IE (what ever is included in WindowsME) was showing it all in italics !
Actually, I did get one job offer largely because my resume was in a non-standard format. The Lead Software Architect recognized that my PDF resume was a TeX document. Little things that catch the attention of those literate in such matters CAN make a difference.
The solution to your problems is to avoid using Netscape 4.x
I'm sure that this doesn't matter to you, but it occasionally happens under Mozilla too.
Better browsers end text formatting at the end of a block element such as a table.
Is that part of the standard? I thought it was just discouraged to span formatting tags across tables, not banned.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
I don't have a clue how to reproduce it. I'm convinced it's a bug in the Slash code somewhere. I've seen it disappear upon reloading the page, so you'll just have to hit Slashdot enough times for it to reappear. I've only seen it once about a week ago and today, and I hit Slashdot's main page about 10+ times over the course of a workday.
If it's incorrect behavior as you say, then it's probably a Mozilla bug too, but trying to squeeze it out of Slashdot might be hard.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Well, despite what others here think, .DOC files (95 or 97) are perfectly acceptable. You might want to consider adding an .RTF and a .TXT version.
.DOC files. (Especially now that many companies are very wary of macros and VB Scipt.)
There are several companies that accept only text resumes via e-mail, as they are automatically 47/*filtered, filed, sorted, etc. which isn't easy with Word
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
Why is everthing on the front page in italics, even the "Read more X out of X comments" section??
...and I'm not sure we should trust this Kyle Sagan either.
...and, of course, snapshots are also supported by FreeBSD.
(8-DCS)
That's not VMware my friend, that is VNC. I bet he's running Windows NT on either his in machine under VMware and then using VNC to get to it, or running it on a remote machine.
In my experiance, displaying WinNT under VNC is slow... but VNC isn't known for it's speed.
VMware + VNC = very slow, but still useful
What *ARE* you Talking about ?
I'm not going to risk my income by setting up a *BSD server with a fortune 500 company only to find out later that the system has back doors in it which allow the foreign BSD developers to access their critical data
Of course, you would rather have American Corporations put the back doors in. They have much more interest in critical data than foreign hackers do anyways; and, as an added bonus, they could give the back doors to the Feds, so that when the SEC is investigating them for insider trading, they don't even have to LOOK for the evidence.
I want to know if any outside and independant people have auditied the code
I want to know if any outside and independant people have audited Windows, Solaris, or AIX and why you think that M$ Sun and IBM have motives any more pure that of "foreign BSD Developers"; Oh Yeah, corporate closed-source OS'es can't be audited, so we'll never know. Open Source OS'es have source code; if anyone ever found an intentional back-door in an Open source OS that system would be DOOMED.
One More thing, out of which orifice did you pull these uninformed opinions ?
-- Rich
Free your mind and your Ass will follow -- George Clinton
I use FreeBSD, so don't let other know what I am about to say. :)
I believe NetBSD would support all of those hardware platforms you mentioned. Unfortunately, I do not believe it has support in Samba concerning ACL's, but I do not know for certain. Check out Samba to see what OS's it supports ACL's.
FreeBSD is mainly an x86 OS with some support for a couple of other platforms.
Not to say that ACLs don't have their own problems, especially wrt to complexity. NT, for example, allows permissions on file/print shares, and those are often used instead of ACLs.
Actually, NT uses thw following method to determialternative ne your access:
1. Work out the greatest amount of privilege you have through ACLs
2. Work out the greatest amount of privilege you have through shares
3. The final privilege is the most restrictive of the two above
Complex huh? But we don't have to emulate the share/ACL combo on Linux. We do, however, need a system which allows for basic, realistic, access control situations:
* Some word processor templates are stored on a server
* A group of users edit these templates
* Another group of users can only read these templates
* All other users may not view these templates at all, as they contain business sensitive information.
A simple case found frequently in many offices. But not currently handled by RWX permissions at all, which are, in essence (and excuse the French) fucking pathetic.
Thank God the Linux ACL project is going to be one of the first Linux Security Module's for the 2.4 kernel. Thankyou SGI and everyone else making this a reality. With any luck, Linux will have a permission system that doesn't suck RSN.
Not to say that ACLs don't have their own problems, especially wrt to complexity. NT, for example, allows permissions on file/print shares, and those are often used instead of ACLs.
Actually, NT uses thw following method to determialternative ne your access:
1. Work out the greatest amount of privilege you have through ACLs
2. Work out the greatest amount of privilege you have through shares
3. The final privilege is the most restrictive of the two above
Complex huh? But we don't have to emulate the share/ACL combo on Linux. We do, however, need a system which allows for basic, realistic, access control situations:
* Some word processor templates are stored on a server
* A group of users edit these templates
* Another group of users can only read these templates
* All other users may not view these templates at all, as they contain business sensitive information.
A simple case found frequently in many offices. But not currently handled by RWX permissions at all, which are, in essence (and excuse the French) fucking pathetic.
Thank God the Linux ACL project is going to be one of the first Linux Security Module's for the 2.4 kernel. Thankyou SGI and everyone else making this a reality. With any luck, Linux will have a permission system that doesn't suck RSN.
The bottom line is: ACL's are great and wonderful and all that. Force them on every file in the system however, and you're looking for big trouble and even bigger headaches.
Why? A single line ACL is less complex than 3 sets of rwxs bits. It seems to me ACLs are as complex as you want them to be.
Standard NT 4.0
The icons are the high color icons available in Start -> Control Panel -> Display -> Effects, in the check box marked `show icons using all possible colors'.
Please note: this is not a flame, just an honest question.
While adding functions to Open-Source system is certainly the whole point of FreeBSD, Linux, etc... I can't help but wonder why this particular function is interesting.
In my experience, most users of NT-based systems do not use ACLs and never bother to set them correctly (if at all). Keeping those (unset) ACLs on a Samba-based BSD server therefore seems like a waste of time... =(
Therefore, having Samba-based ACLs on a *BSD system seems to me totally uninteresting, except if, like a previous poster has remarked, you need some sort of TLA buzzword (Posix-compliant ACLs! Wow!) for your clueless PHB.
Could anyone please explain the interest of such a thing? Many thanks in advance...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Linux was created in Finland, yes. Though the largest distributors are based in the US. (RedHat, for example) BSD stands for Berkeley Software Development, and came from Berkeley California, USA. The OpenBSD project is based in Canada at least in part because the US Crypto laws are so stupid.
I agree with the rest of your assessment though. Ruling out Open Source on the usual corporate-think grounds is pointless.
Never attribute to malice what can as easily be the result of incompetence...
The only thing that has changed now is that the FreeBSD ACL's are used by Samba, so that the ACL's that Windows security uses can be provided via a Samba server running on FreeBSD.
This might satisfy those people who want to replace their NT fileservers with UNIX/Samba fileservers, but who absolutely demand ACL's.
I mean, if you can read the page the link is on, then you can read the resume as well. Sounds like a good idea to me.
there is no thing
what else could you want?
--
--
E2 IN2 IE?
This has been one reason my employer keeps arguing against linux fileservers,
:-)
Except that:
1) it is FreeBSD. (Now you may have said "Open Source OS" and it was heard as "linux" by others
2) it is in CURRENT.
Somedays CURRENT works, other days not. Using current on a business critical system is life on the edge. More power to you if you live there.
If it was said on slashdot, it MUST be true!
With our current hardware, linux *could* run on all the machines
If its an X86 machine with mainstream hardware, yes it should.
If it was said on slashdot, it MUST be true!
No, Netscape only displays what the webpage designer told it to display. If the webpage designer can't close off what he wants in italics with the tag then of course the whole page is shown in italics. What we need is better web designers not slask-assed gits who program for IE and it's slack attitude towards HTML. Even Opera displays it all in Italics. If web page designers could write webpages properly instead of expecting the browser to know exactly what you want. Then we'll all see this kind of incompatibility.
LOAD ".SIG"
PRESS PLAY ON TAPE
I tend to group BSD and Linux people togeather (despite the fact that many would strongly protest that) because they are the same basic type of people - out to create a good free software system and willing to get into the guts of a computer to do it. Despite being a Linux person, I will quite readily work with BSD. So you are correct, but that's how I was thinking. My apologies.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
Either FreeBSD or Linux would make suitable replacements for Win2K/NT file servers in this respect.
*sniff* *sniff*
There be trolls here. But given the fact there are gullible people who will buy into the conspiracy you push...
First, take a look at:
http://www.openbsd.org/goals.htmlWhere you see how many developers of OpenBSD are in the "American" sector.
Next, take a look at:
http://www.openbsd.org/users.htmlhttp://www.netbsd.org/gallery/sites.html
http://dmoz.org/Computers/Software/Operating_Syst
BTW, what outside independent group has reviewed M$ code, or DEC code, or Sun code, or AIX code...
I suppose you don't consult to the feds, since they use xbsd (DOJ uses OpenBSD).
As an expert on operating systems, you should be aware that the common commercial vendors are full of bugs and security holes. By telling your customers that they are safe because they are using American/commercial products, you are doing them a disservice.
How could you trust the agenda of an outside independent code review. After all, they might be just as anti-American!
I truly hope you make it as an anti-xbsd consultant. Good luck.
"Population 1,656"
reply - fixed now~
/. is a commercial entity. goto slashdot.com
/. is a commercial entity. goto slashdot.com
Exactly what version of Windows NT are they running in that VMWare screenshot? Those icons look like very early 4.0.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
This is by far one of the best trolls I have ever seen, try following the link to wagnerconsulting.com. The usa.com is a freebee mail or fake (I remember another troll who used usa.com and my favorite bgates@hell.com).
Unfortunately the expert gave himself away early on with the non US crap and later again with the auditing - I think the auditing remark was intentional, in any case, a very creative little troll.
acl.shot.jpg screenshot of NT (in vmware, via VNC (from a laptop)) using Samba+ACL's under FreeBSD Removed due to lack of bandwidth
Dodge this !! --Trinity, The Matrix
A friend of mine once tore his ACL playing football. The doctor told him that it was just a sprained MCL and that it felt tender near the ACL. He had surgery and was on crutches for a while. He recently tore some cartiledge in that knee too. Such is mango :-)
Fruit flies like bananas... Time flies like the wind...
My whole front page is in itallics...
Ok. I don't know if you're serious or not. I suspect not, but I can't ignore such an absurd comment.
Anti-american?! Are you sure that your name isn't McCarthy? What a load of drivel. Even if this were the case, then surely this should only be an issue when recommending systems to the US government, not privately held companies/corporations?
Arguably, the US govt has made things a little difficult for any OS (open-source or not) with the crypto regulations, and this does affect secure OSes more than others. This is why ISTR OpenBSD is based in Canada.
The reason why BSD is released under such a liberal licence is that they want high quality code. This is why some/all of the BSD network stack made its' way into the Windows NT/2k networking stack. Perhaps you advise that your clients avoid MS products, too? I know I would, but, I suspect, for different reasons. (grin)
I cannot understand why some people have such an absurd distrust of others based on their nationality and/or political views.
And if you're that concerned about conspiracies and smokescreens, either see a psychiatrist or look at the code yourself.
GAAAAAAAAAAAH I can't believe, what a moron. Just because some people are "anti-american" (just because they CRITICIZE the things they don't like instead of just saying "Hey, it's USA, I love USA, look, I have no brain, I can't think by myself!"
-
Linux was created by a non-american guy. OOoooooh, I guess Linus Torvalds made a backdoor to take control of USA satellites and missiles, because he is "anti-american".
Let's face it. That argument was REALLY stupid.
-----------------------------------------------
You think Bill Gates is evil?
I'm the network admin of a midsized govt organization and use NT ACLs extensively. This is just the kind of thing I need as a critical technology to help with my divorce/exit strategy from Microsoft. As soon as I'm comfortable with running FreeBSD 5.x-CURRENT (yeah a development release) in a production environment. I'm going to switch and never look back. I once had a FreeBSD machine (2.6) up for over a year without a reboot, so I know how good of a Unix it really is.... I'm just a bit skittish to be an early adoptor of 5.x just yet.
but really I have been arguing for an open source OS (to run practically all the machines in the server room- would make alotta things easier, right now we have: HPUX, Solaris Sparc, Solaris x86, WinNT, Win2k, etc...)
Most people let the OS choice be driven by what the server is running, not the other way round (within certain parameters). Don't base a decision on blind religous open source reasons. If you can't come up with good reasons to change, don't.
hehehe..... was wonderin when someone would have a good comeback to that stupid "*BSD is dying" troll. =)
--
Tres_Status
stephen
This has been one reason my employer keeps arguing against linux fileservers, the lack of support for win2k acls.. maybe now they will think again (or come up with another argument?)
Does anyone have any other good points (besides the obvious) for a university to switch from running windows2k/NT on its fileservers? Right now, we have nearly 20 boxes in the machine room running winNT/2k, seems like there are too many machines. What about things like win2k logons/remote access? Is there a way to manage this under linux/bsd?
Going to the directory of that link you see... acl.shot.jpg screenshot of NT (in vmware, via VNC (from a laptop)) using Samba+ACL's under FreeBSD Removed due to lack of bandwidth
I'm curious to know if there are similar projects being worked on for Linux, and if OpenBSD will eventually pick up the TrustedBSD work?
--
Keep attacking good things as "communist"
KMSMA (WWBD?)
And I thought you get enough BSDs on Windoze even without the official FreeBlueScreenofDeath `service pack'.
--
--
The Cap is nigh. Time to get a fresh new account.