samba - Dec 2004 - Samba 3.0.2suse (9.1) and dos file attributes (ro/hidden/system)

Good time of a day.

I have a problem with samba 3.0.2suse and dos file attributes.
Users (winxp,2k,98) cannot change ReadOnly file attrib on files that 
don't belong to them.
Example:
user1 in group main create file test, he can change file attr or 
date/time, but user2 from the same group main can not.
Sorry for my bad english.

Here is my smb.conf:

[global]
	dos charset = CP866
	unix charset = UTF-8
	display charset = LOCALE
	workgroup = WORKGROUP
	realm = 
	netbios name = LOCK
	netbios aliases = 
	netbios scope = 
	server string = file server
	interfaces = 127.0.0.1, eth0
	bind interfaces only = Yes
	security = USER
	auth methods = guest, sam
	encrypt passwords = Yes
	update encrypted = Yes
	client schannel = Auto
	server schannel = Auto
	allow trusted domains = Yes
	hosts equiv = 
	min passwd length = 5
	use cracklib = No
	map to guest = Bad User
	null passwords = Yes
	obey pam restrictions = No
	password server = *
	smb passwd file = /etc/samba/smbpasswd
	private dir = /etc/samba
	passdb backend = tdbsam
	algorithmic rid base = 1000
	root directory = 
	guest account = nobody
	pam password change = Yes
	passwd program = /bin/passwd %u
	passwd chat = *new*password* %n\n *new*password* %n\n *changed*
	passwd chat debug = No
	passwd chat timeout = 2
	username map = 
	password level = 0
	username level = 0
	unix password sync = Yes
	restrict anonymous = 0
	lanman auth = Yes
	ntlm auth = Yes
	client NTLMv2 auth = No
	client lanman auth = Yes
	client plaintext auth = Yes
	preload modules = 
	log level = 0
	syslog = 1
	syslog only = No
	log file = 
	max log size = 5000
	timestamp logs = Yes
	debug hires timestamp = No
	debug pid = No
	debug uid = No
	smb ports = 445 139
	protocol = NT1
	large readwrite = Yes
	max protocol = NT1
	min protocol = CORE
	unicode = Yes
	read bmpx = No
	read raw = Yes
	write raw = Yes
	disable netbios = No
	acl compatibility = 
	nt pipe support = Yes
	nt status support = Yes
	announce version = 4.9
	announce as = NT
	max mux = 50
	max xmit = 16644
	name resolve order = lmhosts wins host bcast
	max ttl = 259200
	max wins ttl = 518400
	min wins ttl = 21600
	time server = No
	unix extensions = Yes
	use spnego = Yes
	client signing = auto
	server signing = No
	client use spnego = Yes
	change notify timeout = 60
	deadtime = 0
	getwd cache = Yes
	keepalive = 300
	kernel change notify = Yes
	lpq cache time = 10
	max smbd processes = 0
	paranoid server security = Yes
	max disk size = 0
	max open files = 10000
	socket options = 
	use mmap = Yes
	hostname lookups = No
	name cache timeout = 660
	load printers = No
	printcap name = cups
	disable spoolss = No
	enumports command = 
	addprinter command = 
	deleteprinter command = 
	show add printer wizard = Yes
	os2 driver map = 
	mangling method = hash
	mangle prefix = 6
	stat cache = Yes
	machine password timeout = 604800
	add user script = 
	delete user script = 
	add group script = 
	delete group script = 
	add user to group script = 
	delete user from group script = 
	set primary group script = 
	add machine script = 
	shutdown script = 
	abort shutdown script = 
	logon script = 
	logon path = \\%N\%U\profile
	logon drive = 
	logon home = \\%N\%U
	domain logons = No
	os level = 20
	lm announce = Auto
	lm interval = 60
	preferred master = Yes
	local master = Yes
	domain master = Auto
	browse list = Yes
	enhanced browsing = Yes
	dns proxy = Yes
	wins proxy = No
	wins server = 
	wins support = No
	wins hook = 
	wins partners = 
	kernel oplocks = Yes
	lock spin count = 3
	lock spin time = 10
	oplock break wait time = 0
	ldap suffix = dc=example,dc=com
	ldap machine suffix = 
	ldap user suffix = 
	ldap group suffix = 
	ldap idmap suffix = 
	ldap filter = (uid=%u)
	ldap admin dn = 
	ldap ssl = no
	ldap passwd sync = no
	ldap delete dn = No
	ldap replication sleep = 1000
	add share command = 
	change share command = 
	delete share command = 
	config file = 
	preload = 
	lock directory = /var/lib/samba
	pid directory = /var/run/samba
	utmp directory = 
	wtmp directory = 
	utmp = No
	default service = 
	message command = 
	dfree command = 
	get quota command = 
	set quota command = 
	remote announce = 
	remote browse sync = 
	socket address = 0.0.0.0
	homedir map = auto.home
	afs username map = 
	time offset = 0
	NIS homedir = No
	panic action = 
	host msdfs = No
	enable rid algorithm = Yes
	idmap backend = 
	idmap uid = 
	idmap gid = 
	template primary group = nobody
	template homedir = /home/%D/%U
	template shell = /bin/false
	winbind separator = \
	winbind cache time = 300
	winbind enable local accounts = Yes
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = No
	winbind trusted domains only = No
	comment = 
	path = 
	username = 
	invalid users = 
	valid users = 
	admin users = 
	read list = 
	write list = 
	printer admin = @ntadmin, root, administrator
	force user = 
	force group = 
	read only = Yes
	create mask = 0744
	force create mode = 00
	security mask = 0777
	force security mode = 00
	directory mask = 0755
	force directory mode = 00
	directory security mask = 0777
	force directory security mode = 00
	inherit permissions = No
	inherit acls = No
	guest only = No
	guest ok = No
	only user = No
	hosts allow = 
	hosts deny = 
	nt acl support = Yes
	profile acls = No
	map acl inherit = Yes
	afs share = No
	block size = 1024
	max connections = 0
	min print space = 0
	strict allocate = No
	strict sync = No
	sync always = No
	use sendfile = No
	write cache size = 0
	max reported print jobs = 0
	max print jobs = 1000
	printable = No
	printing = cups
	printing cups options = 
	print command = 
	lpq command = 
	lprm command = 
	lppause command = 
	lpresume command = 
	queuepause command = 
	queueresume command = 
	printer name = 
	use client driver = No
	default devmode = No
	default case = lower
	case sensitive = No
	preserve case = Yes
	short preserve case = Yes
	mangle case = No
	mangling char = ~
	hide dot files = Yes
	hide special files = No
	hide unreadable = No
	hide unwriteable files = No
	delete veto files = No
	veto files = 
	hide files = 
	veto oplock files = 
	map system = No
	map hidden = No
	map archive = Yes
	mangled names = Yes
	mangled map = 
	browseable = Yes
	blocking locks = Yes
	csc policy = manual
	fake oplocks = No
	locking = Yes
	oplocks = Yes
	level2 oplocks = Yes
	oplock contention limit = 2
	posix locking = Yes
	strict locking = Yes
	share modes = Yes
	copy = 
	include = 
	exec = 
	preexec close = No
	postexec = 
	root preexec = 
	root preexec close = No
	root postexec = 
	available = Yes
	volume = 
	fstype = NTFS
	set directory = No
	wide links = Yes
	follow symlinks = Yes
	dont descend = 
	magic script = 
	magic output = 
	delete readonly = No
	dos filemode = Yes
	dos filetimes = Yes
	dos filetime resolution = No
	fake directory create times = No
	vfs objects = 
	msdfs root = No
	msdfs proxy = 

[test]
	path = /netshare/test
	valid users = +test
	force group = test
	read only = No
	create mask = 0775
	directory mask = 0775
	nt acl support = No
	map acl inherit = No
	map system = Yes
	map hidden = Yes

[main]
	path = /netshare/main
	valid users = +main
	force group = main
	read only = No
	create mask = 0775
	directory mask = 0775
	nt acl support = No
	map acl inherit = No
	map system = Yes
	map hidden = Yes


Pavel.