Using dos filemode = yes should give users with write access to change owner and group of a file if I understand it correctly. This works as promised when changing owner but not when changing group. Example follows: Running these to commands I can easily switch group while KIC\Administrator is the owner of the file. debian:~$ /usr/local/samba/bin/smbcacls -G "KIC\Domain users" //192.168.1.137/acltest apa -U"KIC\Administrator" cubiq acltest]# getfacl apa # file: apa # owner: KIC\134administrator # group: KIC\134domain\040users user::rw- group::rw- other::rw- debian:~$ /usr/local/samba/bin/smbcacls -G "KIC\Domain admins" //192.168.1.137/acltest apa -U"KIC\Administrator" # file: apa # owner: KIC\134administrator # group: KIC\134domain\040admins user::rw- group::rw- other::rw- But if I put another owner of the file I can no longer switch group even though Administrator has write access to the file.(Through the Domain Admins group) The funny thing is that I can change owner of the file when I have only write access but not group. I also wonder if it is possible to change group to a group which the changing user is not member of? Both client and server is running Debian Etch with Ext3 and acl support Samba Version on client is: /usr/local/samba/bin/smbcacls --version Version 3.0.25rc2-SVN-build-22402 Samba Version on server is: Version 3.0.24
After some more research I've noticed that it works if I put the user doing the activities in the "admin users" option. As this makes the user perform all actions as root I can see why it works but thats the whole purpose with dos filemode isn't? To be able to make perm and acl changing with only write access to the file. So it feels like there is something wrong with the dos filemode and changing groups. cheers, henrik
See the SeTakeOwnershipPrivlege and teh SeRestorePrivilege. This is a configuration issue. The "dos filemode" is not for ownership, but rather permissions and timestamps.
Hi Jerry and thanks for your input, I followed your suggestion and granted the privileges to Domain admin as you suggested. [root@cubiq ~]# /usr/local/samba/bin/net rpc rights list accounts "KIC\Administrator" SeTakeOwnershipPrivilege SeRestorePrivilege Even so I can't change the group of a file if "KIC\Administrator" is not the owner of the file. Should I send in a log or what would you want me to do? I also noticed that even if "KIC\Administrator" is the owner I can't change the group to a domain group which "KIC\Administrator" is not a member of unless I put KIC\Administrator in the "admin users" option. Cheers, henrik
Hi Jerry, I can't get this to work and the smbcacls doesn't return an error when its failing so there must be something wrong with it. It probably is a configuration error, but following your suggestions didn't resolve the problem (see my last comment). Could you please give me your share configurations so that I can set up my share exactly the same. Also why is smbcacls failing silently? Cheers, henrik
closing this now, the samba mailing list is a better option in cases like this.