samba - Sep 2010 - samba acl - able to change permissions that contradict user security setting

Dear friends, I am having following issue on my samba device . Please help me on
this.

1) created share "test" given read and write access to the user
"admin" and read only access to user "user1".

2) from my windows PC logged into the samba share  "test " with
"admin"  user . created subfolder in that "test_subfolder".

3) on that subfolder  , from the windows security tab I could add user
"user1" and can give read and write access to  that.
How to prevent this ??. Actually on the share "test" user1 has read
only access .How samba code is allowing to change permissions that contradict
user security settings.

4) when I login to share "test" with "user1" , I cannot
write into subfolder "test_subfolder"

This is smb.conf for "test" share part ..
-------
[test]
path= /mnt/samba/shares/SP0/test/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= yes
dos filemode= yes
writeable= no
valid users= "admin" "user1"
read list= "user1"
store dos attributes= yes
write list= "admin"
-----


I am anticipating your reply.

Thanks
Suresh

Did not get the response . bumping it. friends , Please help me on the below
issue.

Thanks
Suresh

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of suresh.kandukuru at emc.com
Sent: Wednesday, September 08, 2010 11:13 AM
To: samba at lists.samba.org
Subject: [Samba] samba acl - able to change permissions that contradict user
security setting

Dear friends, I am having following issue on my samba device . Please help me on
this.

1) created share "test" given read and write access to the user
"admin" and read only access to user "user1".

2) from my windows PC logged into the samba share  "test " with
"admin"  user . created subfolder in that "test_subfolder".

3) on that subfolder  , from the windows security tab I could add user
"user1" and can give read and write access to  that.
How to prevent this ??. Actually on the share "test" user1 has read
only access .How samba code is allowing to change permissions that contradict
user security settings.

4) when I login to share "test" with "user1" , I cannot
write into subfolder "test_subfolder"

This is smb.conf for "test" share part ..
-------
[test]
path= /mnt/samba/shares/SP0/test/
max connections= 50
max connections= 250
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= yes
dos filemode= yes
writeable= no
valid users= "admin" "user1"
read list= "user1"
store dos attributes= yes
write list= "admin"
-----


I am anticipating your reply.

Thanks
Suresh



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Wed, Sep 8, 2010 at 1:43 AM,  <suresh.kandukuru at emc.com>
wrote:
> 1) created share "test" given read and write access to the user
"admin" and read only access to user "user1".
>
> 2) from my windows PC logged into the samba share ?"test " with
"admin" ?user . created subfolder in that "test_subfolder".
>
> 3) on that subfolder ?, from the windows security tab I could add user
"user1" and can give read and write access to ?that.
> How to prevent this ??. Actually on the share "test" user1 has
read only access .How samba code is allowing to change permissions that
contradict user security settings.
>
> 4) when I login to share "test" with "user1" , I cannot
write into subfolder "test_subfolder"
Seems perfectly normal. Share level security will take precedence over
file level security when connected via the share. I'm sure you would
find the same results working with an actual Windows share (always a
good thing to test before you post).

On Wed, Sep 8, 2010 at 10:55 AM, Chris Smith <smb_77 at chrissmith.org>
wrote:
> Share level security will take precedence over
> file level security when connected via the share.
Sorry about that: more accurate would be to state that the most
restrictive security permissions will be active. If share level
permissions allow RW access but the file level permissions only allow
for R access then that is all the user will receive (and vice versa).