On Thu, Oct 14, 2010 at 12:54:59AM -0400, [email protected] wrote: > What I noticed from the below example is , any user who > has write access to share are able to change sub folder > acls in it. we don't want that. how to restrict this to > only admin users in NAS and to AD administrator in > windows. ?. > > Please help . > > ---------------- > > 1) Import user from W2K3 R2 Server and set up a secure share. User has > Read/Write access. > > 2) Create sub-folder and set Read . > > 3) Log in as user on Windows 7 workstation using AD users credentials. > > 4) Map to share and write files to share - OK as expected. > > 5) Change directory to sub-folder and write files to sub-folder - write > denied as expected. > > 6) As AD user right click on sub-folder and enter properties, security. > Attempt to change R/O rights. Successfully changed - Not expected behavior, > only Administrator of NAS, Administrator of AD or member of AD Admin group > should be able to change rights on secure sub-folders.
Assuming you're using pure posix ACLs, this is expected behaviour. It is an artifact of Samba mapping Posix ACLs to Windows ACLs, not enforcing additional restrictions on top of it. Posix allows the owner of a directory to change its ACL, probably this is what you see here. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
