Meike,
If you are referring to permission changes from a Windows machine, then
"nt acl support = No" on the share will remove the Security tab from
the
file/directory properties window, making it impossible to change
permissions via the GUI.
Dale
On 10/23/2014 7:49 AM, Meike Stone wrote:> Hello,
>
> I want to prevent users to change file/directory rights and haven't
> found any possible solution.
> Setup:
> ---------
> * Samba 3.6.3
> * using LDAP for users an groups
>
> Config:
> ----------
>
> workgroup = Samba
> security = user
>
> ldap admin dn = uid=samba_user,cn=admin,o=company,c=net
> passdb backend = ldapsam:ldap://ldap01.company.net
> ldap suffix = cn=users,o=company,c=net
> ldap user suffix = cn=accounts
> ldap group suffix = cn=groups
> ldap passwd sync = No
>
>
> Requirements:
> ---------------------
> I have one share "projects". In the configured path for the share
are
> different folders, for each project
> one folder.
> Each folder gets on creation two ACL's, a default ACL and the GUID bit:
> - one dedicated read/only group
> - one dedicated read/write group
>
> Example:
> getfacl Project_B
> # file: Project_B
> # owner: root
> # group: root
> # flags: -s-
> user::rwx
> group::rwx
> group:Project_B_W:rwx
> group:Project_B_R:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:group::rwx
> default:group:Project_B_W:rwx
> default:group:Project_B_R:r-x
> default:mask::rwx
> default:other::---
>
> In this groups are included the users, as defined by project owner.
>
> The complete setup is working well in different possible
> configurations, but I could not prevent the users (from write group)
> to change the ACLs in (a self created folder) underneath of the
> project folder.
>
> 1) If I configure a "normal" share, smbd will run with user
rights. So
> all directories and files created by user are owned by him.
> The owner can change rights ...
>
> 2) If I configure "inherit owner = yes", the smbd is running as
root
> and the owner (group/user) is inherited from project folder.
> But the user connected to that share can change the rights as well.
> (this is also not the preferred solution, because nobody knows the
> creator)
>
> 3) Using "directory security mask", "force directory
security mode" is
> not possible with different ALC's, because it bulldoze all permissions
> for the different ACL's to the same value ...
>
>
> Is there any possibility to prevent users to change rights in this context?
>
>
> Thanks Meike