[Samba] Unexpected behaviour with ACL GROUP CONTROL

Jeremy Allison jra at samba.org
Sun May 14 23:40:05 GMT 2006

On Mon, May 15, 2006 at 12:00:07AM +0100, Roger Lucas wrote:
> Agreed, but as I understand it (from the "Samba-3 By Example" section
> 10.3.4) there is no way to get a Windows box to change the owner of a file
> on the SAMBA box.  You have to log into the Linux box to make the change.
> This causes a problem if you are trying to drop a box into a Windows network
> which you want to be able to manage completely from Windows.  If the ACL
> access was more "relaxed" then it would help work around this problem.

No, you can chown a file from Windows on Samba. Here is the comment from
the code :

 Try to chown a file. We will be able to chown it under the following conditions.

  1) If we have root privileges, then it will just work.
  2) If we have SeTakeOwnershipPrivilege we can change the user to the current user.
  3) If we have SeRestorePrivilege we can change the user to any other user.
  4) If we have write permission to the file and dos_filemodes is set
     then allow chown to the currently authenticated user.

> The problem for me with the "ACL GROUP CONTROL" is that currently all files
> and folders which are created by Windows users have their primary group as
> "Domain users".  Since my goal is to have a single share, this means that I
> cannot use the "force group" etc features to override the user and group
> owner of the file.  If I then enable "ACL GROUP CONTROL" then it means that
> any member of the "Domain users" group can change the ACL, which basically
> removes any security in the system.  Having a single share makes the "ACL
> GROUP CONTROL" feature less useful...

You could fix this by creating new groups for the users - grouping
them into areas of functional control, where users in the same group
have control over directories created by all users in that group.

That's the only logical way to separate out the users anyway. Make
sure the Windows users have a different primary group the "Domain users"
and then the directories created by them should have the correct
group ownership... Or am I missing something ?


More information about the samba mailing list