Gerald (Jerry) Carter
jerry at samba.org
Thu Aug 26 14:22:37 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Guenther Deschner wrote:
| Hello Jeremy,
| looking at the current way of how share-access
| is beeing evaluated, I wonder what samba's policy is
| in regard to what takes precedence when grating
| share-access? smb.conf options or security
| descriptors? (I couldn't find that clearly mentioned
| in the code).
| Wouldn't it make sense to allow smb.conf options
| (e.g. write list=root) to override *any* security
| descriptor in share_info.tdb? Given the fact that
| admins can change the smb.conf more easily than
| changing share-acls with srvmgr or other related tools.
| In my particular case the print$-share (migrated from
| NT to samba) has a security descriptor that contains
| a S-1-1-0 ALLOW READ_ACCESS (among some other
| ACEs) but root can not rw-access that share (with
| write list = root in smb.conf).
Here's my small opinion. The current model is pretty
easy to explain. You get the most restrictive access
after filtering all the rules. This is true of files
and printers. I think the proposed change would make it
harder to explain and therefore harder to maintain.
My preference would be to keep the current mocel as is.
This only comes into play when migrating printers.
The default is to give root/Domains Admins full control.
So maybe we should modify the migration process and
log more information to allow the admin to quickly determine
the reason for the failure.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical