site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com On Mon, 1 Dec 2008, Terry Lambert wrote: I agree with this, but you need to be very careful here. For NFSv4, the enforcement is done on the server. The ACL support will only me enabled when a mount option is set and that allows me to document the above in the man page for that option. Would you mind if I cut/paste some of the above into the man page, attributing it to you as the author? Thanks again, rick _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... [good stuff snipped] A lot of client/server enforcement is predicated on the idea that the client and server will be members of the same security association, and being members of the same SA, you will get the same answer for both ends. In most of these cases, the enforcement is intended to be done server-side, while (potentially) being originated client-side or via inheritance. For GUID translations for unknown GUIDs, which are "unknown" because you have disconnected your laptop from the corporate network and happened to be using ACLs on it, or you have disconnected your laptop from one of maybe three SAs it's normally a member of (e.g. you are in your home office talking to your home office server(SA 1), your Internet connection is up(SA 2), but your VPN connection into work is currently down(SA 3)), then DS will make up a transient answer for you. This will boil down to you being likely to get an answer to the first question you ask in this situation, i.e. "please give me a transient GID for this GUID" or "please give me a transient UID for this GUID", but not both. This email sent to site_archiver@lists.apple.com