Gerald (Jerry) Carter jerry at samba.org
Thu Aug 26 14:24:42 GMT 2004

Hash: SHA1

Gerald (Jerry) Carter wrote:
| Guenther Deschner wrote:
| | Hello Jeremy,
| |
| | looking at the current way of how share-access
| | is beeing evaluated, I wonder what samba's policy is
| | in regard to what takes precedence when grating
| | share-access?  smb.conf options or security
| | descriptors? (I couldn't find that clearly mentioned
| | in the code).
| |
| | Wouldn't it make sense to allow smb.conf options
| | (e.g. write list=root) to override *any* security
| | descriptor in share_info.tdb? Given the fact that
| | admins can change the smb.conf more easily than
| | changing share-acls with srvmgr or other related tools.
| |
| | In my particular case the print$-share (migrated from
| | NT to samba) has a security descriptor that contains
| | a S-1-1-0 ALLOW READ_ACCESS (among some other
| | ACEs) but root can not rw-access that share (with
| | write list = root in smb.conf).
| Guenther,
| Here's my small opinion.  The current model is pretty
| easy to explain.  You get the most restrictive access
| after filtering all the rules.  This is true of files
| and printers.  I think the proposed change would make it
| harder to explain and therefore harder to maintain.
| My preference would be to keep the current mocel as is.
| This only comes into play when migrating printers.
| The default is to give root/Domains Admins full control.
| So maybe we should modify the migration process and
| log more information to allow the admin to quickly determine
| the reason for the failure.

I should add that I think there are too many potentially
contradicting sets of access rules.  We should boil them
down to one security descriptor if possible.

cheers, jerry
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba-technical mailing list