On Mon, Mar 07, 2005 at 05:46:48PM +0100, Volker Lendecke wrote:
> Not possible. For each access denied from the kernel you would have to iterate
> through all groups that a user is in to retry, just in case some group
> membership would give him permission. The only real way around this is a
> user-space implementation of NT acls, but then you lose the unix
> interoperability.

It's not quite that bad - you can do a stat/getfacl to get the groups
list and iterate over the large numbers of groups that Samba stores in
the user token. But yeah, it's pretty bad :-).

> With Solaris you're stuck, sorry. That is just not usable in large AD
> environments.

That I'm agreed on :-).