[Samba] Unexpected behaviour with ACL GROUP CONTROL

Roger Lucas roger at planbit.co.uk
Sun May 14 23:00:07 GMT 2006 

> -----Original Message-----
> From: Jeremy Allison [mailto:jra at samba.org]
> Sent: 14 May 2006 23:37
> To: Roger Lucas
> Cc: 'Jeremy Allison'; samba at lists.samba.org
> Subject: Re: [Samba] Unexpected behaviour with ACL GROUP CONTROL
> 
> On Sun, May 14, 2006 at 11:23:59PM +0100, Roger Lucas wrote:
> > Thanks for the (very) quick reply.
> >
> > Is there any way to set it up so that the ACL for a file or folder can
> be
> > changed by any user who:
> > 	- has explicit write access in the current ACL
> > and/or
> > 	- is a member of a group that has write access in the current ACL
> >
> > I am looking for an "intuitive" configuration so that if you have write
> > access to a file (via whatever ACLs) then you can write to the ACL as
> well
> 
> That's not intuitive to me... The problem is write access doesn't mean
> set ACL access. Set ACL access implies ownership. Write access can be
> given to anyone.
> 
Agreed, but as I understand it (from the "Samba-3 By Example" section
10.3.4) there is no way to get a Windows box to change the owner of a file
on the SAMBA box.  You have to log into the Linux box to make the change.
This causes a problem if you are trying to drop a box into a Windows network
which you want to be able to manage completely from Windows.  If the ACL
access was more "relaxed" then it would help work around this problem.

The problem in changing ownership on SAMBA files/folders from Windows is 
inconvenient, however, and a solution would be nice.  

My goal is to have a server with a single share which can be completely
administered from Windows (as this makes life easiest for the Windows
users).  The Windows users would then be able to create folders within this
share and set each folder's ACL appropriately.

The problem for me with the "ACL GROUP CONTROL" is that currently all files
and folders which are created by Windows users have their primary group as
"Domain users".  Since my goal is to have a single share, this means that I
cannot use the "force group" etc features to override the user and group
owner of the file.  If I then enable "ACL GROUP CONTROL" then it means that
any member of the "Domain users" group can change the ACL, which basically
removes any security in the system.  Having a single share makes the "ACL
GROUP CONTROL" feature less useful...

I am beginning to suspect that the goal of a single share is impractical,
but it would be the preferred solution.  The work-around that I can see is
to add the "Domain admins" group to the share "admin users" list for the
share.  At least then the "Domain admins" group can always change any ACL as
necessary.

- Roger.

P.S.  Don't get me wrong - SAMBA is fantastic and the quality of integration
with Windows is excellent given how awkward Windows is in just about every
way.

More information about the samba mailing list