On Tue, May 27, 2008 at 02:44:40PM -0600, Tim Haley wrote: > usersid/groupsid ACE types. These are aliases for user and group, > but instead of an id a windows SID is specified instead. > > usersid:S-1-5-4343545-34534-44354-23:rwxp:allow > groupsid:S-1-5-438473-58347567-4848-55:rwx:allow > > The acl_fromtext() interface will use idmap to convert the SID > string into an ephemeral id.
You can also use idmap interfaces to perform name-to-SID lookup + ID mapping. So you could allow "usersid:foo at domain:rwxp:allow"... Do, please, make sure that there's a way to distinguish between Unix user/group names and Windows user/group names. In the future we'll be adding an nss_ad module that will make the two namespaces equal, but it isn't necessarily the case that the customer will configure their system to use nss_ad, thus the need for distinguishing between namespaces. > The acl_totext() interface will introduce a new flag bit > ACL_SID_FMT that will be used to instruct acl_totext() to use > the usersid, or groupsid format when constructing textual > ACLs when the "id" field is an ephemeral id and the flag > parameter requests "sid" format. I think we'll need a flag to request the use of Windows names vs. plain SIDs. See above. > acl_totext(aclp, ACL_SID_FMT); > > Both chown(1) and chgrp(1) will have a -s option added to allow > changing the owner/group by SID string. > > For example: > > chown -s S-1-5-4343545-34534-44354-23:S-1-5-438473-58347567-4848-55 > file > chgrp -s S-1-5-438473-58347567-4848-55 file > > All of the normal options to chown(1)/chgrp(1) will still > apply, the -s argument simply tells the utility to treat the > owner/group argument as a SID rather than a user or > groupname. My comments re: chmod apply here as well. Nico --
