Security-level permission not working as expected on samba3.5.15

Rowland Penny repenny241155 at
Mon May 26 11:04:11 MDT 2014

On 26/05/14 17:56, sandeep nag wrote:
> We use samba 3.5.15 code with acl_xattr module for acl support. Here are
> the observations I made, when I tried setting share-level, security-level
> permissions on a samba share:
> 1. Share-level permissions are working as  expected. i.e in our test-case:
> When read-only share-level permission is set for the user,
> and when the user tries to create folder/file, it is throwing an error
> saying permission denied.
> 2. On 2008 windows boxes, general behavior on any share folder is: if we
> set one of the Share or Security-level permission, other would convert to
> the same. i.e we cannot set one of it to read-only and other to read&write
> permissions.
> 3. Whereas on our samba3.5.15, #3 above is not seen. We are able to set
> Share-level to read&write and Security-levvel permission to read-only.
>          And with such kind of settings, it is allowing to create/write a
> file/directory, though there are no enough security-level permissions.
> 4. So, the behavior mentioned in #4 above is not following the rule: i.e
>   ‘The Afffective permission for the user should be the lesser of the two
> rights(share-level, security-level)’.
> 5. I have tried debugging the issue by placing break points in
> smbd_check_access_rights(), se_accesss_right() and has observed that for
> the test-case:
>          share-level read&write permission given for 'everyone' and
> read-only security-level permission given for the share is not working as
> expected, i.e the user with just read-only security-level permissions
>          is able to create files and directories in the shared-folder.
> Please help me in knowing whether I am missing something, or this is the
> known-issue in smaba 3.5.15?.
> Thanks,
> Sandeep.
Is there any chance that you can upgrade to a later samba version, the 
3.5 series went EOL about 2 yrs ago


More information about the samba-technical mailing list