From ca7e085fd9b0fdd36fc2f457ae031d9b56ec65aa Mon Sep 17 00:00:00 2001 From: OpenAI Date: Wed, 10 Jun 2026 19:53:09 +0000 Subject: [PATCH] docs: record NetWare object ID trustee GUID mode --- AI.md | 17 +++++++++++------ TODO.md | 6 ++++++ 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/AI.md b/AI.md index dd925c5..2458fc8 100644 --- a/AI.md +++ b/AI.md @@ -581,12 +581,17 @@ NetWare/NSS xattr and trustee metadata baseline: allow/deny/clear model. The current mars-nwe `netware.metadata` trustee rights encoding uses the NSS/NCP bit assignments, so the rights masks are layout-compatible with Novell/OES readers. -- Open directory-identity follow-up: `netware.metadata` trustee entries carry - GUID-style NSS/eDirectory authorizer identifiers. mars-nwe currently maps the - bindery object ID into the GUID field for local roundtrips and NCP readback; a - real OES/NSS server might not resolve that identifier to the same object. Keep - this as a Directory/eDirectory/NDS mapping task rather than changing the - trustee rights patch. +- Trustee identity compatibility mode: for the NetWare 3.x/4.x target, keep the + classic 32-bit bindery/NDS object ID as the authoritative trustee identity and + embed it deterministically in the NSS `GUID_t` `timeLow` field with the rest of + the GUID zeroed. This preserves the classic NCP/SYSCON/FILER/GRANT/REVOKE + object-ID model while using the NSS `netware.metadata` binary layout. Do not + treat these values as real OES/eDirectory authorizer GUIDs. +- Open directory-identity follow-up: real OES/NSS trustee entries carry + GUID-style NSS/eDirectory authorizer identifiers. A real OES/NSS server might + not resolve mars-nwe's embedded bindery object ID to the same object. Keep + real eDirectory/NDS/AuthID GUID mapping as a later Directory task rather than + changing the NetWare 3.x/4.x trustee rights patch. - Inheritance model to preserve: only entries marked inherit-down propagate; child inherited rights are filtered by `inheritedRightsMask` and `zVALID_TRUSTEE_RIGHTS`; supervisor is preserved in the mask and expands to all diff --git a/TODO.md b/TODO.md index 3fd95ff..8d48d6a 100644 --- a/TODO.md +++ b/TODO.md @@ -2159,6 +2159,12 @@ Implementation tasks: - Add NSS-compatible trustee constants and helpers for effective rights: R/W/C/E/A/F/M/S, salvage/secure bits, inherited-rights-mask filtering, inherit-down propagation and supervisor expansion. +- NetWare 3.x/4.x trustee identity mode: continue to use the classic 32-bit + bindery/NDS object ID for trustee identity and embed that value in + `netware.metadata` trustee `GUID_t.timeLow` with the remaining GUID fields + zeroed. This is the mars-nwe compatibility mapping for classic NCP clients; + full OES/NSS eDirectory/AuthID GUID mapping is a later Directory/eDirectory + task, not a blocker for the current trustee rights backend. - Make the baseline positive trustee rights plus inherited rights mask. Negative ACL/deny/clear/one-level behavior from `trustees-3.0` is not part of the first NetWare/NSS compatibility layer.