[Samba] Unexpected behaviour with ACL GROUP CONTROL

Roger Lucas roger at planbit.co.uk
Sun May 14 23:51:23 GMT 2006

> -----Original Message-----
> From: Jeremy Allison [mailto:jra at samba.org]
> Sent: 15 May 2006 00:40
> To: Roger Lucas
> Cc: 'Jeremy Allison'; samba at lists.samba.org
> Subject: Re: [Samba] Unexpected behaviour with ACL GROUP CONTROL
> On Mon, May 15, 2006 at 12:00:07AM +0100, Roger Lucas wrote:
> > Agreed, but as I understand it (from the "Samba-3 By Example" section
> > 10.3.4) there is no way to get a Windows box to change the owner of a
> file
> > on the SAMBA box.  You have to log into the Linux box to make the
> change.
> > This causes a problem if you are trying to drop a box into a Windows
> network
> > which you want to be able to manage completely from Windows.  If the ACL
> > access was more "relaxed" then it would help work around this problem.
> No, you can chown a file from Windows on Samba. Here is the comment from
> the code :
> /*************************************************************************
> ***
>  Try to chown a file. We will be able to chown it under the following
> conditions.
>   1) If we have root privileges, then it will just work.
>   2) If we have SeTakeOwnershipPrivilege we can change the user to the
> current user.
>   3) If we have SeRestorePrivilege we can change the user to any other
> user.
>   4) If we have write permission to the file and dos_filemodes is set
>      then allow chown to the currently authenticated user.
> **************************************************************************
> **/

Yup - that works.  May I suggest a slight update to the documentation to
clarify this situation?

> > The problem for me with the "ACL GROUP CONTROL" is that currently all
> files
> > and folders which are created by Windows users have their primary group
> as
> > "Domain users".  Since my goal is to have a single share, this means
> that I
> > cannot use the "force group" etc features to override the user and group
> > owner of the file.  If I then enable "ACL GROUP CONTROL" then it means
> that
> > any member of the "Domain users" group can change the ACL, which
> basically
> > removes any security in the system.  Having a single share makes the
> "ACL
> > GROUP CONTROL" feature less useful...
> You could fix this by creating new groups for the users - grouping
> them into areas of functional control, where users in the same group
> have control over directories created by all users in that group.
> That's the only logical way to separate out the users anyway. Make
> sure the Windows users have a different primary group the "Domain users"
> and then the directories created by them should have the correct
> group ownership... Or am I missing something ?

Don't worry, you aren't missing anything :-)  It is me missing lots and
trying to get my head around it.  It all makes sense now.  Thanks for your
patience in guiding me through it.

- Roger

More information about the samba mailing list