[Nottingham] [OxLUG] Why I hate WinNT ACLs...venting stream time. (fwd)

Jon Masters nottingham at mailman.lug.org.uk
Mon Sep 2 04:58:00 2002 

---------- Forwarded message ----------
Date: Mon, 2 Sep 2002 00:20:32 +0100 (BST)
From: Jon Masters <jonathan@jonmasters.org>
Reply-To: oxlug@lists.oxlug.org
To: oxlug@lists.oxlug.org
Subject: [OxLUG] Why I hate WinNT ACLs...venting stream time.

Hi,

So I just spent most of the day (and missed OxLUG as a consequence
though probably wouldn't have made it anyway...) with the following setup
and now I'm going to let you all have a laugh over my tribulations.
Previously I have gone with a more tried and tested "set up loads of UN*X
permissions and stick in nasty hack type permission forcing on share
definitions" - but that is not always a viable solution, as in this case.

DOMAIN A ------ TRUST RELATIONSHIP ------> DOMAIN B
   |                                         |
   |_ NT SERVER 1                            |_ NT SERVER 2
   |                                         |
   |_ SAMBA 2.2.5*                           |_ SAMBA 2.2.5*
      (2.4.19/RAID/LVM/ext3/etc.)              (2.4.19/RAID/LVM/ext3/etc.)

I wanted to replace NT SERVER 1 and NT SERVER 2 completely (well not
completely, they still want Exchange for variously varied reasons and I
kind of prefer the people who look after it using a familiar frontend) but
due to the Trust Relationship code only just going in to CVS about now I
didn't really want to have a go and screw everything completely :-)

So, the two Samba boxen had to join the two DOMAINs and act as servers
supporting NT ACLs, Winbind, etc. It is just about working correctly now
(though there are some annoyances with ACL translation and user (my)
interpretation of what should and should not work (leading me to
eventually realise it aint broken just not doing what I thought after a
nice long -d 10 session this evening debug what the fsck was happening)).

Has anyone else tried getting Winbind and NT ACL support working
transparently? (how about the OUCS types here, I know Nottingham don't do
it particularly but they end up with silly numbers of groups everywhere)
on a resonably large scale (here it's only about 400-500 users). I can
tell you, it isn't the most relaxing and enjoyable Sunday afternoon :-)

The one remaining "problem" is that I need to e.g. do a chown DOMAIN+USER
on a file before that user can set any ACLs even if they have other
permissions which might fool me in to thinking they should be allowed.
This is just down to my general feeling on how these things should work
but it's certainly not unique to this implementation. I will make the
"Administrators" admin users on the shares in question to help here.

Jon.

* Custom compile due to lack of bestbits acl support in Woody's package -
  if anyone knows why this is the case then please do tell me. Generally
  the ACL packages in Woody also do not work for me (library functions).