Bug 4580 - smbcacls can't change group owner on file
Summary: smbcacls can't change group owner on file
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Client Tools (show other bugs)
Version: 3.0.25
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-04-30 04:34 UTC by Henrik (dead mail address)
Modified: 2020-12-20 22:28 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Henrik (dead mail address) 2007-04-30 04:34:29 UTC
Using dos filemode = yes should give users with write access to change owner and group of a file if I understand it correctly. 
This works as promised when changing owner but not when changing group.
Example follows:

Running these to commands I can easily switch group while KIC\Administrator is the owner of the file.
debian:~$ /usr/local/samba/bin/smbcacls -G "KIC\Domain users" //192.168.1.137/acltest apa -U"KIC\Administrator"

cubiq acltest]# getfacl apa
# file: apa
# owner: KIC\134administrator
# group: KIC\134domain\040users
user::rw-
group::rw-
other::rw-

debian:~$ /usr/local/samba/bin/smbcacls -G "KIC\Domain admins" //192.168.1.137/acltest apa -U"KIC\Administrator"
# file: apa
# owner: KIC\134administrator
# group: KIC\134domain\040admins
user::rw-
group::rw-
other::rw-

But if I put another owner of the file I can no longer switch group even though Administrator has write access to the file.(Through the Domain Admins group)

The funny thing is that I can change owner of the file when I have only write access but not group.

I also wonder if it is possible to change group to a group which the changing user is not member of?

Both client and server is running Debian Etch with Ext3 and acl support 

Samba Version on client is:
/usr/local/samba/bin/smbcacls --version Version 3.0.25rc2-SVN-build-22402
Samba Version on server is:
Version 3.0.24
Comment 1 Henrik (dead mail address) 2007-04-30 09:14:44 UTC
After some more research I've noticed that it works if I put the user doing the activities in the "admin users" option. As this makes the user perform all actions as root I can see why it works but thats the whole purpose with dos filemode isn't? To be able to make perm and acl changing with only write access to the file.

So it feels like there is something wrong with the dos filemode and changing groups.

cheers,
henrik
Comment 2 Gerald (Jerry) Carter (dead mail address) 2007-04-30 09:20:51 UTC
See the SeTakeOwnershipPrivlege and teh SeRestorePrivilege.
This is a configuration issue.  The "dos filemode" is not for 
ownership, but rather permissions and timestamps.
Comment 3 Henrik (dead mail address) 2007-04-30 09:55:47 UTC
Hi Jerry and thanks for your input,

I followed your suggestion and granted the privileges to Domain admin as you suggested.
[root@cubiq ~]# /usr/local/samba/bin/net rpc rights list accounts "KIC\Administrator"
SeTakeOwnershipPrivilege
SeRestorePrivilege

Even so I can't change the group of a file if "KIC\Administrator" is not the owner of the file.

Should I send in a log or what would you want me to do?

I also noticed that even if "KIC\Administrator" is the owner I can't change the group to a domain group which "KIC\Administrator" is not a member of unless I put KIC\Administrator in the "admin users" option.

Cheers,
henrik
Comment 4 Henrik (dead mail address) 2007-05-02 02:56:26 UTC
Hi Jerry,

I can't get this to work and the smbcacls doesn't return an error when its failing so there must be something wrong with it. 

It probably is a configuration error, but following your suggestions didn't resolve the problem (see my last comment).

Could you please give me your share configurations so that I can set up my share exactly the same.
Also why is smbcacls failing silently?

Cheers,
henrik
Comment 5 Björn Jacke 2020-12-20 22:28:57 UTC
closing this now, the samba mailing list is a better option in cases like this.