2

I have been searching on this and just can't find enough information on the topic.

We are trying to develop a custom folder / permission tool. The clients needs are quiet complicated as there will be 20.000 folders to manage (to begin with) where permission requirements would mandate over 1000 security groups per user. Because the system has to stay scalable and user count scales the slowest, we were thinking of writing users explicitly into the ACL of folders.

Now what I would like to know: How does scaling the ACL entry count impact the system? We are talking VM virtualized Windows Server 2012 with Samba share. What happens, when we start writing 500 users into the ACL of a folder? Is there anyone with experience in that topic?

What people were able to tell me was and what I could find out was: - Don't use denies - Use groups instead of users and put the users into the group - Max of about 1000 groups per user (groups he can be in)

Problem is: The client's requirements imply that writing users into the ACL is the most efficient way of solving the problem. Nesting groups will limit the scalability of the system.

Regards and thanks in advance.

Shumachine
  • 21
  • 1
  • Are you using samba or windows sharing? – Jim B Sep 25 '15 at 17:57
  • Files are shared by Windows standard share (thought that was smb) but permissions are written in ntfs directly. – Shumachine Sep 25 '15 at 21:53
  • You should consider dynamic access control rather than straight permissions. https://redmondmag.com/articles/2013/01/01/group-control.aspx?m=1 – Jim B Sep 26 '15 at 03:04
  • I tried to do that. But the client's needs demand us writing rights directly into ACL. – Shumachine Sep 28 '15 at 09:25
  • What's causing the clients to fail Kerberos auth. You'll have an interesting time if that's already broken. – Jim B Sep 28 '15 at 10:12
  • I hope my comments aren't misleading. There is nothing wrong with Kerberos auth. afaik. Are you asking because of what I said? – Shumachine Sep 29 '15 at 11:03
  • Right, if kerb auth works then you can use DAC. – Jim B Sep 29 '15 at 12:45
  • @JimB Problem is: I just don't see how dac might help. I am on the road right now. I will post an abstract of the problem later today or tomorrow. Thanks for the help! – Shumachine Sep 29 '15 at 15:22
  • instead of groups you would use AD attributes (or a combination of them) – Jim B Sep 29 '15 at 20:30
  • @JimB Not possible - tried that in the beginning – Shumachine Sep 29 '15 at 20:48
  • What happened when you tried it? Can you add some of the requirements to your question? Seems to me there has to be a better way. – Jim B Sep 29 '15 at 23:20

0 Answers0