1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

WHATSNEW: Add some information about new conditional aces feature

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This commit is contained in:
Douglas Bagnall 2024-01-15 15:21:11 +13:00 committed by Jule Anger
parent 8e8b8fc054
commit 4872b0abf6

View File

@ -108,6 +108,30 @@ New options added are:
and all files/directories below.
- '--restore savefile' Restores the stored DACLS to files in directory
Conditional ACEs and Resource Attribute ACEs
--------------------------------------------
Ordinary Access Control Entries (ACEs) unconditionally allow or deny
access to a given user or group. Conditional ACEs have an additional
section that describes conditions under which the ACE applies. If the
conditional expression is true, the ACE works like an ordinary ACE,
otherwise it is ignored. The condition terms can refer to claims,
group memberships, and attributes on the object itself. These
attributes are described in Resource Attribute ACEs that occur in the
object's System Access Control List (SACL). Conditional ACEs are
described in Microsoft documentation.
Conditional ACE evaluation is controlled by the "acl claims
evaluation" smb.conf option. The default value is "AD DC only" which
enables them in AD DC settings. The other option is "never", which
disables them altogether. There is currently no option to enable them
on the file server (this is likely to change in future releases).
The Security Descriptor Definition Language has extensions for
conditional ACEs and resource attribute ACEs; these are now supported
by Samba.
REMOVED FEATURES
================