[Samba] Re: Full wNT/w2K ACL conformance
Shawn Wright
swright at sls.bc.ca
Wed Jun 18 22:27:37 GMT 2003
On 18 Jun 2003 at 15:39, Dragan Krnic wrote:
> >>The show-stopper right now is this: we need to be
> >>able to assign "real" Full Control permissions: a
> >>user who has "Full control" on a directory should
> >>be able to Read, Write, eXecute ( of course) [ this
> >>can be easily achieved with ACLs ] *plus* being
> >>able to give away Full Control to other users too
> >>[being able to override inherited ACLs would be a
> >>plus, too]. Is this feasible (remember smbd runs as
> >>root... )? Has somebody thought about implementing
> >>this ?
>
> If you have Full Control over a directory (e.g. as
> root, or own it or have rwx on it), you can give FC
> (rwx) to others. Is it perhaps the other way around,
> that you want to stop this delegation, unless an FC
> EA explicitely allows it? I'm not sure if it can be
> a show-stopper or if it really makes a difference.
In our case, the only users who require "Full Control" access are admins,
so we use "admin users = @domain/domain admins". Not ideal, but it
gives us the NT equivalence we require, and has allowed us to migrate a
large portion of our file storage to Samba.
We find the option "nt acl support = no" to be a nice feature that is not
available on NT. It prevents our students from messing with ACLs (for
their own files) which had been a problem on NT. We provide a second
admin access only share which provides ACL support for admins.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Shawn Wright, I.T. Manager
Shawnigan Lake School
http://www.sls.bc.ca
swright at sls.bc.ca
"Friends don't let friends use Outlook."
More information about the samba
mailing list