[Samba] Re: Full wNT/w2K ACL conformance

Shawn Wright swright at sls.bc.ca
Wed Jun 18 22:27:37 GMT 2003

On 18 Jun 2003 at 15:39, Dragan Krnic wrote:

> >>The show-stopper right now is this: we need to be 
> >>able to assign "real"  Full Control permissions: a 
> >>user who has "Full control" on a directory  should
> >>be able to Read, Write, eXecute ( of course) [ this 
> >>can be easily achieved with ACLs ]  *plus*  being 
> >>able to give away Full Control to other users too
> >>[being able to override inherited ACLs would be a 
> >>plus, too]. Is this feasible (remember smbd runs as 
> >>root... )? Has somebody thought about implementing 
> >>this ?
> If you have Full Control over a directory (e.g. as
> root, or own it or have rwx on it), you can give FC 
> (rwx) to others. Is it perhaps the other way around, 
> that you want to stop this delegation, unless an FC
> EA explicitely allows it? I'm not sure if it can be
> a show-stopper or if it really makes a difference.

In our case, the only users who require "Full Control" access are admins, 
so we use "admin users = @domain/domain admins". Not ideal, but it 
gives us the NT equivalence we require, and has allowed us to migrate a 
large portion of our file storage to Samba.

We find the option "nt acl support = no" to be a nice feature that is not 
available on NT. It prevents our students from messing with ACLs (for 
their own files) which had been a problem on NT. We provide a second 
admin access only share which provides ACL support for admins.

Shawn Wright, I.T. Manager
Shawnigan Lake School
swright at sls.bc.ca
"Friends don't let friends use Outlook."

More information about the samba mailing list