Hi all, I'm reposting because there was no response from the list. I'd be glad if anybody could comment... I'm planning a migration from Sun Microsystems' PCNetLink CIFS service to Samba and have a problem I cannot solve: Is there a possibility to map Windows ACLs to reflect the following: We have user groups with their own group directories. We need to provide some users in their group directories the ability to read/create/modify/remove files, but they must not be able to change permissions on the files/directories. In particular they must not take ownership of files they are not owners of. I've tried to test this using Samba 3.0.10 on Solaris 9 and compiled with --with-acl-support. The configuration for my test share has the following ACL relevant settings: security mask = 0777 force security mode = 0 directory security mask = 0777 force directory security mask = 0 But, if I try to set the following permissions (all except Full Control): Modify, Read & Execute List Folder Contents Read Write using Windows Explorer connected to the share on a subdirectory of the share, I get 777 on UNIX file system and my Windows client sees 'full control'. I'd be glad if anybody could confirm if the situation described above is normal Samba behavior or not and if my problem can be solved at all (using Samba). Thanks in advance Best regards, Daniel -- Daniel Cisowski EDS Operations Services GmbH EAD DP Eisenstr. 58 (58-5-M) D-65428 Ruesselsheim mailto:daniel.cisowski@eds.com jabber:daniel.cisowski@eim.eds.com
Cisowski, Daniel wrote:>Hi all, >Hi>I've tried to test this using Samba 3.0.10 on Solaris 9 and compiled with >--with-acl-support. The configuration for my test share has the following >ACL relevant settings: > security mask = 0777 > force security mode = 0 > directory security mask = 0777 > force directory security mask = 0 >But, if I try to set the following permissions (all except Full Control): > Modify, > Read & Execute > List Folder Contents > Read > Write >using Windows Explorer connected to the share on a subdirectory of the >share, I get 777 on UNIX file system and my Windows client sees 'full >control'. >Do you have your kernel compiled for ACL's support for your filesystem?> >Thanks in advance > >Best regards, > >Daniel >Bye
On Tue, Feb 22, 2005 at 09:23:57AM +0100, Cisowski, Daniel wrote:> Hi all, > > I'm reposting because there was no response from the list. I'd be glad if > anybody could comment... > > I'm planning a migration from Sun Microsystems' PCNetLink CIFS service to > Samba and have a problem I cannot solve: > > Is there a possibility to map Windows ACLs to reflect the following: > > We have user groups with their own group directories. We need to provide > some users in their group directories the ability to > read/create/modify/remove files, but they must not be able to change > permissions on the files/directories. In particular they must not take > ownership of files they are not owners of. > > I've tried to test this using Samba 3.0.10 on Solaris 9 and compiled with > --with-acl-support. The configuration for my test share has the following > ACL relevant settings: > security mask = 0777 > force security mode = 0 > directory security mask = 0777 > force directory security mask = 0 > But, if I try to set the following permissions (all except Full Control): > Modify, > Read & Execute > List Folder Contents > Read > Write > using Windows Explorer connected to the share on a subdirectory of the > share, I get 777 on UNIX file system and my Windows client sees 'full > control'. > > I'd be glad if anybody could confirm if the situation described above is > normal Samba behavior or not and if my problem can be solved at all (using > Samba).Ok, don't think of this as a Windows ACL problem, think of it as a POSIX ACL problem and try and create a solution using that. That's what Samba3 is using under the covers anyway. Jeremy.