[Samba] Prevent Samba clients from changing group ownership?

Jack Bates v1twoz at nottheoilrig.com
Thu Jun 7 10:32:24 MDT 2012

On 06/06/12 01:35 AM, Jonathan Buzzard wrote:
> On Wed, 2012-06-06 at 06:47 +0000, Dirk Traenapp wrote:
> [SNIP]
>> With this configuration i can force every new folder or file belonging
>>   to default-group of the parent folder.
> But won't stop me *changing* the ownership of file or folder.

Right, and thanks for all the advice. We want the group ownership of all 
files and folders in a particular directory to be "www-data", so we used 
"chmod g+s" on the directory. This seems to work well for many Samba 
clients, but we notice that the group ownership of files created or 
edited by some Samaba clients is the default group of the user, not 
"www-data". The client is (at least one version of) Mac OS X

I assume what is happening is that the "g+s" permission on the directory 
is respected when files are created, but that clients are able to change 
the group ownership of files, and this is what the Mac OS X client is doing?

It sounds like the only way to prevent clients from changing group 
ownership is with rich permissions (which I haven't checked out yet) and 
disabling Unix extensions

More information about the samba mailing list