1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-04 05:18:06 +03:00

More updates from feedback.

This commit is contained in:
John Terpstra 2005-05-03 15:56:33 +00:00 committed by Gerald W. Carter
parent cc788b981a
commit bf17c2180a
3 changed files with 45 additions and 12 deletions

View File

@ -352,10 +352,12 @@ drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08
An overview of the permissions field can be found in <link linkend="access1">Overview of UNIX permissions field</link>.
</para>
<image id="access1"><imagedescription>Overview of UNIX permissions field.</imagedescription><imagefile scale="40">access1</imagefile></image>
<image id="access1"><imagedescription>Overview of UNIX permissions field.</imagedescription>
<imagefile scale="40">access1</imagefile></image>
<para>
Any bit flag may be unset. An unset bit flag is the equivalent of <quote>cannot</quote> and is represented as a <quote>-</quote> character.
Any bit flag may be unset. An unset bit flag is the equivalent of <quote>cannot</quote> and is represented
as a <quote>-</quote> character.
<example>
<title>Example File</title>
@ -373,9 +375,9 @@ drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08
</para>
<para>
The letters <constant>rwxXst</constant> set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),
execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s),
sticky (t).
The letters <constant>rwxXst</constant> set permissions for the user, group and others as: read (r), write (w),
execute (or access for directories) (x), execute only if the file is a directory or already has execute
permission for some user (X), set user or group ID on execution (s), sticky (t).
</para>
<para>
@ -406,11 +408,21 @@ drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08
For example, Windows NT/2K/XP provides the capacity to set access controls on a directory into which people can
write files but not delete them. It is possible to set an ACL on a Windows file that permits the file to be written to
but not deleted. Such concepts are foreign to the UNIX operating system file space. Within the UNIX file system
anyone who has the ability to create a file can write to it, and has the capability to delete it. Of necessity, Samba
is subject to the file system semantics of the host operating system. Samba is therefore limited in the file system
capabilities that can be made available through Windows ACLs, and therefore performs a <quote>best fit</quote>
translation to POSIX ACLs. Some UNIX file systems do however support a feature known as extended attributes. Only
the Windows concept of <quote>inheritance</quote> is implemented by Samba through the appropriate extended attribute.
anyone who has the ability to create a file can write to it, and has the capability to delete it.
</para>
<para>
For the record, in the UNIX environment the ability to delete a file is controlled by the permissions on
the directory that the file is in. In other words, a user can delete a file in a directory to which that
user had write access, even if that user does not own the file.
</para>
<para>
Of necessity, Samba is subject to the file system semantics of the host operating system. Samba is therefore
limited in the file system capabilities that can be made available through Windows ACLs, and therefore performs
a <quote>best fit</quote> translation to POSIX ACLs. Some UNIX file systems do however support a feature known
as extended attributes. Only the Windows concept of <quote>inheritance</quote> is implemented by Samba through
the appropriate extended attribute.
</para>
<para>

View File

@ -69,7 +69,8 @@
<para>
<indexterm><primary>IDMAP</primary></indexterm>
In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to
<link linkend="idmap-sid2gid">IDMAP: group SID to GID resolution</link> and <link linkend="idmap-gid2sid">IDMAP: GID resolution to matching SID</link>.
<link linkend="idmap-sid2gid">IDMAP: group SID to GID resolution</link> and
<link linkend="idmap-gid2sid">IDMAP: GID resolution to matching SID</link>.
The <command>net groupmap</command> is
used to establish UNIX group to NT SID mappings as shown in <link linkend="idmap-store-gid2sid">IDMAP: storing group mappings</link>.
</para>
@ -199,6 +200,25 @@
but for now the burden is on you.
</para>
<sect2>
<title>Warning &smbmmdsh; User Private Group Problems</title>
<para>
Windows does not permit user and group accounts to have the same name.
This has serious implications for all sites that use private group accounts.
A private group account is an administrative practice whereby users are each
given their own group account. Red Hat Linux, as well as several free distributions
of Linux by default create private groups.
</para>
<para>
When mapping a UNIX/Linux group to a Windows group account all conflict can
be avoided by assuring that the Windows domain group name does not overlap
with any user account name.
</para>
</sect2>
<sect2>
<title>Important Administrative Information</title>

View File

@ -117,6 +117,7 @@ The chapters in this part each cover specific Samba features.
<xi:include href="TOSHARG-Backup.xml"/>
<xi:include href="TOSHARG-HighAvailability.xml"/>
<xi:include href="TOSHARG-LargeFile.xml"/>
<!-- <xi:include href="TOSHARG-SecureLDAP.xml"/> -->
</part>
@ -149,7 +150,7 @@ The chapters in this part each cover specific Samba features.
<!-- Comment out the following line to include the manpages.
*Please* do not commit with the line below enabled! -->
<!--<xi:include href="manpages.xml"/>-->
<!-- <xi:include href="manpages.xml"/> -->
<xi:include href="http://www.gnu.org/licenses/gpl.xml"/>
<xi:include href="TOSHARG-glossary.xml"/>