[Samba] Can Windows Domain admin grant "write" access WITHOUT "full control"?

smc+samba at dogphilosophy.net smc+samba at dogphilosophy.net
Mon Mar 7 04:05:22 GMT 2005

Setting up the initial connection to ADS was so easy...but now I'm stuck.

I'm trying to show off how seamlessly Samba integrates into an existing 
Windows "Active Directory" domain, but permissions issues are making this 
look much more complicated than it ought to be.

I'm trying to get file shares on a Samba 3.0.9 (Suse 9.2 pro) server to behave
exactly like a W2K server (or at least, close enough to "exactly like" that 
the Windows guy doesn't have any trouble administering the shares on the box.)

I got the share to propagate the access control lists and permissions like he 
wanted with "inherit permissions" and "inherit acls" (I also have "map acl 
inherit" and "store dos attributes" set.)  

It seems like, from the Windows share, he can't give any kind of write access 
without having permissions revert to "full control".  Is there any way around 
this, or does write access in Samba always come with e.g. ability to take 
ownership, change permissions, etc.?

I can't seem to find too much online so far about how the Windows model for 
permissions/access control lists compares to the *nix one used by Samba/Linux 
(with ACL and extended attribute support apparently working).  Any pointers 
to that kind of information would also be very helpful to me right now, 
before they give up and go blow our budget on licensing another slow "Windows
Server 2003" and a pile of "Client Access Licenses"...


More information about the samba mailing list