On 10/27/21 13:11, David Brodbeck wrote:>
>
> On Wed, Oct 27, 2021 at 8:31 AM Patrick Goetz via samba
> <samba at lists.samba.org <mailto:samba at lists.samba.org>>
wrote:
>
> NFSv4 does allow you to do local identity mapping, but it apparently
> doesn't respect permissions/ACLs, so I'm not sure what the
point is.
> (Apparently because I've never tried to use this feature.)
>
>
> It does, but it has its own ACLs separate from the Posix ACLs most
> people are familiar with...which are themselves separate from the NT
> ACLs Samba uses. IIRC it does honor normal file permissions as well but
> it's been a while since I last used it. Also, some idmapping features
> only work if you're also using Kerberos.
>
> NFSv3 can do Posix ACLs if both the client and server are Linux and
it's
> enabled on both ends. But it requires matching UIDs and GIDs.
>
> Neither NFSv4 ACLs nor Posix ACLs allow nested groups.
>
> The whole NFS interoperability situation is a bit of a hot mess.
>
It's a hot mess because the kernel developers refuse to acknowledge the
need to incorporate a VFS permissions model closer to NFS or Windows
ACLs. Really, this can be simplified to "the kernel needs to adopt NFS
ACLs". Windows ACLs jumped the shark long ago, likely due to corporate
customer requests to handle edge cases. Other than the stuff no sane
person would ever use, Windows and NFS ACLs are largely identical (since
NFSv4 just copied Windows).
The nested groups thing is a nice feature of AD, although it's not that
hard to live without it. Having a better default permissions system is
far more important. The most important hindsight innovation of AD is
treating computers like users; i.e. as a thing that needs UID with
directory properties and authentication.
> --
> David Brodbeck (they/them)
> System Administrator, Department of Mathematics
> University of California, Santa Barbara
>