Mailing-List:	contact cygwin-developers-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-developers-subscribe AT sourceware DOT cygnus DOT com>
List-Archive:	<http://sourceware.cygnus.com/ml/cygwin-developers/>
List-Post:	<mailto:cygwin-developers AT sourceware DOT cygnus DOT com>
List-Help:	<mailto:cygwin-developers-help AT sourceware DOT cygnus DOT com>, <http://sourceware.cygnus.com/ml/#faqs>
Sender:	cygwin-developers-owner AT sourceware DOT cygnus DOT com
Delivered-To:	mailing list cygwin-developers AT sourceware DOT cygnus DOT com
Message-ID:	<38CC1618.2AE87911@vinschen.de>
Date:	Sun, 12 Mar 2000 23:11:36 +0100
From:	Corinna Vinschen <corinna AT vinschen DOT de>
X-Mailer:	Mozilla 4.72 [en] (Windows NT 5.0; U)
X-Accept-Language:	de,en
MIME-Version:	1.0
To:	Jeremy Allison <jra AT samba DOT org>
CC:	cygwin-developers AT sourceware DOT cygnus DOT com
Subject:	Re: Alternate symlink usage
References:	<20000311115929 DOT A13893 AT cygnus DOT com>

Chris Faylor wrote:
> 
> Corinna,
> Is it possible that we could use the NTSEC stuff to store information
> about whether a file is a symbolic link?  I talked to Jeremy Allison
> at Linux Expo and he said that he was doing lots of stuff with security
> type information for samba so if we could do this we might be able to
> have symbolic links on UNIX network drives.
> 
> Is this possible?
> 
> cgf

Hi Jeremy,

my name is Corinna, I have designed the usage of NT security
in cygwin, called NTSEC. If you are interested, I would like to
discuss the possibilities to support NTSEC with samba drives.
The additional ability to support symbolic links would be very
interested, too.

To give a short introduction (and to start the discussion) I
will describe the used methods of NTSEC in short:

- On each file related function, the full windows path is
  determined and used for calling GetVolumeInformation().
  Only files on file systems which has FS_PERSISTENT_ACLS
  flag set are possible in NTSEC calls.

- To read security descriptors, the following funtions are used:

    CreateFile(..., FILE_FLAG_BACKUP_SEMANTICS, ...);
    BackupRead();

- To write security descriptors:

    CreateFile(..., FILE_FLAG_BACKUP_SEMANTICS, ...);
    BackupWrite();
    
My latest checks with samba (version 2.0.6-16) has
given the following results in a domainless environment:

- GetVolumeInformation results in FS_PERSISTENT_ACLS == TRUE.

- BackupRead returns ACLs.

- The RIDs of user and group are not corresponding to the Linux
  uid/gid. Unfortunately, samba doesn't submit user and group
  names to the reading pc. I'm using W2K and typically the
  ACL content is shown like:
    COMPUTERNAME\USERNAME    permissions
  or
    DOMAINNAME\GROUPNAME     permissions

  If this information can't be determined by the reading
  PC, the security info is shown as
    S-1-5-21-1234455-23232232-4434343-2000      permissions

  This is the case with samba on my Linux box. Maybe, my
  configuration is not correct?!?

- The returned permissions are sometimes not correct when the
  Linux permission bits are uncommon (eg. r-x-wxr-- or sth like
  that).

- BackupWrite fails with WinAPI error 1337 (security ID structure
  is invalid). This seems to be related to the missing user/group
  informations.

I haven't checked it out in detail yet. I'm not blessed with
much time this month. Nevertheless I'm very interested in
a good solution.

What would you think is a good method to get information
about symbolic links via NTSEC? I had the idea to use
a self defined SID for submitting different informations
between samba and NT/W2K but unfortunately, BackupWrite()
checks SIDs. If it doesn't know a SID, the above 1337
error is generated. Maybe we could use an already defined
well known ID...

Ok, stop here. I would like to hear your opinion first.

Looking forward to your answer,
Corinna

- Raw text -