samba - Jun 2006 - Error changing ACL when not the owner of the file...

Hi there folks,

I hope someone will take a minute to help me out...

We succesfully joined Samba 3.0.22 (on Debian using the .deb's from
samba.org) to our W2K3 ADS domain. We done all the steps needed to get
ACL's to work (compiled the kernel and mounted with ACl support) and all
seems to be working great.

What goes wrong is that when a user creates a file, the Admin can't
change the ACL but get's a access denied error. After searching and
reading a lot we found that we might needed to give the Admin the
SeDiskOperatorPrivilege. So set 'enable privileges = yes' in the
smb.conf and assigned the privilege. When checking (net rpc rights list
accounts -U Administrator) the privilege seems to be assigned, but we
still keep getting the access denied...

Anyone has a pointer or a tip we can work with? Thanks in advance...

=====================================================================
[global]
        security = ads
        password server = srv-solcon-01
        encrypt passwords = true
        workgroup = solcon
        realm = SOLCON.LOCAL
        netbios name = testbak

        log file = /var/log/samba/samba.log
        log level = 2
        syslog = 0

        enable privileges = yes
        dos filemode = yes

        nt acl support = yes
        map acl inherit = yes

        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = yes
	winbind use default domain = yes

[testdir]
        comment = testdir
        path = /usr/home/testdir
        read only = no
        browsable = yes
        writable = yes
        dos filemode = yes
        map archive = yes
        map hidden = yes
        map system = yes
        inherit permissions = yes
        veto oplock files = /*.mdb/*.MDB/
        create mask = 0770
        force create mode = 0440
        directory mask = 0771
        force directory mode = 0771
        security mask = 0777
        force security mode = 0440
        directory security mask = 0777
        force directory security mode = 0771

=====================================================================
Kind regards,

Sander

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

S. J. van Harmelen wrote:
> What goes wrong is that when a user creates a file, 
> the Admin can't change the ACL but get's a access
> denied error.
Set these in the shares:

	dos filemode = yes
	acl group control = yes



cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEiWXGIR7qMdg1EfYRAnGWAJ0UHskzlEKZ7oApOAhW2NoKRd7JYwCfachZ
Av8i6sAuwmEVsBheSnxDOKI=DxbV
-----END PGP SIGNATURE-----