Guenther Deschner gd at samba.org
Thu Aug 26 09:02:13 GMT 2004

Hello Jeremy,

looking at the current way of how share-access is beeing evaluated, I wonder
what samba's policy is in regard to what takes precedence when grating
share-access?  smb.conf options or security descriptors? (I couldn't find that
clearly mentioned in the code).

Wouldn't it make sense to allow smb.conf options (e.g. write list=root) to
override *any* security descriptor in share_info.tdb? Given the fact that
admins can change the smb.conf more easily than changing share-acls with srvmgr
or other related tools.

In my particular case the print$-share (migrated from NT to samba) has a
security descriptor that contains a S-1-1-0 ALLOW READ_ACCESS (among some other
ACEs) but root can not rw-access that share (with write list = root in

What do yo think?


Guenther Deschner,  SerNet Service Network GmbH
Phone: +49-(0)551-370000-0,  Fax: +49-(0)551-370000-9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20040826/4283a8b6/attachment.bin

More information about the samba-technical mailing list