Created attachment 12188 [details] fixes the coding intention + torture It's a samba-4.0 only bug, creating this ticket for fix archival. When a share-ACL is set to CHANGE, users still can change file permissions (file ACLs). Expected that only FULL access would allow it. I've tested samba-3.6, samba-4.2, samba-4.3, windows 7, win 2012 all works as expected. (Did not try samba-4.1.) Attaching the 1-liner bugfix and torture.
Created attachment 12189 [details] recreate this bug Attaching reproducer. smbtorture //<ip>/<share> -UAdministrator%XXXXX --option=torture:extra_user1=<existing normal username> --option=torture:extra_password1=XXXXX -W <domain> rpc.samba3.sharesec2