dsa

[Gerald (Jerry) Carter]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gerald (Jerry) Carter wrote:
| Guenther Deschner wrote:
| | Hello Jeremy,
| |
| | looking at the current way of how share-access
| | is beeing evaluated, I wonder what samba's policy is
| | in regard to what takes precedence when grating
| | share-access?  smb.conf options or security
| | descriptors? (I couldn't find that clearly mentioned
| | in the code).
| |
| | Wouldn't it make sense to allow smb.conf options
| | (e.g. write list=root) to override *any* security
| | descriptor in share_info.tdb? Given the fact that
| | admins can change the smb.conf more easily than
| | changing share-acls with srvmgr or other related tools.
| |
| | In my particular case the print$-share (migrated from
| | NT to samba) has a security descriptor that contains
| | a S-1-1-0 ALLOW READ_ACCESS (among some other
| | ACEs) but root can not rw-access that share (with
| | write list = root in smb.conf).
|
| Guenther,
|
| Here's my small opinion.  The current model is pretty
| easy to explain.  You get the most restrictive access
| after filtering all the rules.  This is true of files
| and printers.  I think the proposed change would make it
| harder to explain and therefore harder to maintain.
|
| My preference would be to keep the current mocel as is.
| This only comes into play when migrating printers.
| The default is to give root/Domains Admins full control.
|
| So maybe we should modify the migration process and
| log more information to allow the admin to quickly determine
| the reason for the failure.

I should add that I think there are too many potentially
contradicting sets of access rules.  We should boil them
down to one security descriptor if possible.




cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBLfKqIR7qMdg1EfYRAkyGAJ9v/BQmN/v4qdgrXu7hsMa4ywveUwCg4Vit
20Vp7PkHmtxQoP5VFP+mYuc=
=xfba
-----END PGP SIGNATURE-----