> -----Original Message----- > From: Jeremy Allison [mailto:[EMAIL PROTECTED] > Sent: 14 May 2006 23:37 > To: Roger Lucas > Cc: 'Jeremy Allison'; [email protected] > Subject: Re: [Samba] Unexpected behaviour with ACL GROUP CONTROL > > On Sun, May 14, 2006 at 11:23:59PM +0100, Roger Lucas wrote: > > Thanks for the (very) quick reply. > > > > Is there any way to set it up so that the ACL for a file or folder can > be > > changed by any user who: > > - has explicit write access in the current ACL > > and/or > > - is a member of a group that has write access in the current ACL > > > > I am looking for an "intuitive" configuration so that if you have write > > access to a file (via whatever ACLs) then you can write to the ACL as > well > > That's not intuitive to me... The problem is write access doesn't mean > set ACL access. Set ACL access implies ownership. Write access can be > given to anyone. > Agreed, but as I understand it (from the "Samba-3 By Example" section 10.3.4) there is no way to get a Windows box to change the owner of a file on the SAMBA box. You have to log into the Linux box to make the change. This causes a problem if you are trying to drop a box into a Windows network which you want to be able to manage completely from Windows. If the ACL access was more "relaxed" then it would help work around this problem.
The problem in changing ownership on SAMBA files/folders from Windows is inconvenient, however, and a solution would be nice. My goal is to have a server with a single share which can be completely administered from Windows (as this makes life easiest for the Windows users). The Windows users would then be able to create folders within this share and set each folder's ACL appropriately. The problem for me with the "ACL GROUP CONTROL" is that currently all files and folders which are created by Windows users have their primary group as "Domain users". Since my goal is to have a single share, this means that I cannot use the "force group" etc features to override the user and group owner of the file. If I then enable "ACL GROUP CONTROL" then it means that any member of the "Domain users" group can change the ACL, which basically removes any security in the system. Having a single share makes the "ACL GROUP CONTROL" feature less useful... I am beginning to suspect that the goal of a single share is impractical, but it would be the preferred solution. The work-around that I can see is to add the "Domain admins" group to the share "admin users" list for the share. At least then the "Domain admins" group can always change any ACL as necessary. - Roger. P.S. Don't get me wrong - SAMBA is fantastic and the quality of integration with Windows is excellent given how awkward Windows is in just about every way. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
