> -----Original Message----- > From: Jeremy Allison [mailto:[EMAIL PROTECTED] > Sent: 15 May 2006 00:40 > To: Roger Lucas > Cc: 'Jeremy Allison'; [email protected] > Subject: Re: [Samba] Unexpected behaviour with ACL GROUP CONTROL > > On Mon, May 15, 2006 at 12:00:07AM +0100, Roger Lucas wrote: > > Agreed, but as I understand it (from the "Samba-3 By Example" section > > 10.3.4) there is no way to get a Windows box to change the owner of a > file > > on the SAMBA box. You have to log into the Linux box to make the > change. > > This causes a problem if you are trying to drop a box into a Windows > network > > which you want to be able to manage completely from Windows. If the ACL > > access was more "relaxed" then it would help work around this problem. > > No, you can chown a file from Windows on Samba. Here is the comment from > the code : > > /************************************************************************* > *** > Try to chown a file. We will be able to chown it under the following > conditions. > > 1) If we have root privileges, then it will just work. > 2) If we have SeTakeOwnershipPrivilege we can change the user to the > current user. > 3) If we have SeRestorePrivilege we can change the user to any other > user. > 4) If we have write permission to the file and dos_filemodes is set > then allow chown to the currently authenticated user. > ************************************************************************** > **/ >
Yup - that works. May I suggest a slight update to the documentation to clarify this situation? > > The problem for me with the "ACL GROUP CONTROL" is that currently all > files > > and folders which are created by Windows users have their primary group > as > > "Domain users". Since my goal is to have a single share, this means > that I > > cannot use the "force group" etc features to override the user and group > > owner of the file. If I then enable "ACL GROUP CONTROL" then it means > that > > any member of the "Domain users" group can change the ACL, which > basically > > removes any security in the system. Having a single share makes the > "ACL > > GROUP CONTROL" feature less useful... > > You could fix this by creating new groups for the users - grouping > them into areas of functional control, where users in the same group > have control over directories created by all users in that group. > > That's the only logical way to separate out the users anyway. Make > sure the Windows users have a different primary group the "Domain users" > and then the directories created by them should have the correct > group ownership... Or am I missing something ? > Don't worry, you aren't missing anything :-) It is me missing lots and trying to get my head around it. It all makes sense now. Thanks for your patience in guiding me through it. - Roger -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
