[Samba] ACL question

Jeremy Allison jra at samba.org
Tue Feb 22 18:12:58 GMT 2005

On Tue, Feb 22, 2005 at 09:23:57AM +0100, Cisowski, Daniel wrote:
> Hi all,
> I'm reposting because there was no response from the list. I'd be glad if
> anybody could comment...
> I'm planning a migration from Sun Microsystems' PCNetLink CIFS service to
> Samba and have a problem I cannot solve:
> Is there a possibility to map Windows ACLs to reflect the following:
> We have user groups with their own group directories. We need to provide
> some users in their group directories the ability to
> read/create/modify/remove files, but they must not be able to change
> permissions on the files/directories. In particular they must not take
> ownership of files they are not owners of.
> I've tried to test this using Samba 3.0.10 on Solaris 9 and compiled with
> --with-acl-support. The configuration for my test share has the following
> ACL relevant settings:
> 	security mask = 0777
> 	force security mode = 0
> 	directory security mask = 0777
> 	force directory security mask = 0
> But, if I try to set the following permissions (all except Full Control):
> 	Modify,
> 	Read & Execute
> 	List Folder Contents
> 	Read
> 	Write
> using Windows Explorer connected to the share on a subdirectory of the
> share, I get 777 on UNIX file system and my Windows client sees 'full
> control'.
> I'd be glad if anybody could confirm if the situation described above is
> normal Samba behavior or not and if my problem can be solved at all (using
> Samba).

Ok, don't think of this as a Windows ACL problem, think of it as a POSIX
ACL problem and try and create a solution using that. That's what Samba3
is using under the covers anyway.


More information about the samba mailing list