In samba 3.2.8 "acl group control = yes", made it possible for windows users who where member of the posix owner group on a file or folde to manupilate its rights from the windows NT security dialog box, even if the posix owner group had "---" rights on the file or folder. In samba 3.4.5 the user who is a member of the posix owner group _must_ have "rwx" on the file or folder for him to be able to change the security-settings from windows. If the user has "rw-", "-wx" or "r-x" or anything less than "rwx", he only gets to view the securitysettings, not change them. The clients experiensing these problems are windows2000 and windows2003R2 (which is alle the clients we have). The productin linux server which is experiencing the problem is running sles10sp2, the testserver I use to debug the problem is running sles11 uname -a: Linux erso-desktop 2.6.27.42-0.1-default #1 SMP 2010-01-06 16:07:25 +0100 x86_64 x86_64 x86_64 GNU/Linux smb.conf (on testserver): [global] server string = Samba fra erso passdb backend = tdbsam:/samba-3.4.5/private/passdb.tdb comment = testsone workgroup = testgroup security = server log level = 10 max log size = 0 debug hires timestamp = yes debug pid = yes printcap name = /etc/printcap disable spoolss = yes map to guest = Bad User usershare allow guests = No netbios name = testpc wins support = No [test$] comment = testshare path=/testshare acl group control = yes writable=yes browsable=yes force directory security mode = 2777 No winbind or nmbd, just one smbd-process running in foreground. I will upload 2 debug 10 logfiles. Case 1) smb.log.acl-group-control.470.can-change erso-desktop:/samba-3.4.5/sbin # ls -lat /testshare/test2 total 8 dr--rw---- 2 root gruppetest 4096 Feb 23 08:59 . drwxrwxrwx 3 root root 4096 Feb 23 08:59 .. Case 2) smb.log.acl-group-control.460.fane-cannot-change erso-desktop:/samba-3.4.5/sbin # ls -lat /testshare/test2 total 8 dr--rw---- 2 root gruppetest 4096 Feb 23 08:59 . drwxrwxrwx 3 root root 4096 Feb 23 08:59 .. The logged on user is "Administrator" in both cases. Here are the entries from /etc/passwd: Administrator:x:123:123:Administrator:/home/administrator:/bin/false and from /etc/group: gruppetest:x:123 This is very strange. I am not positively sure the user in these cases are supposed to see and change security, even though he has "---" on the folder. The smb.conf-man-pages could be clearer here. But I think he should be able to see and change them if he has "rw-" on the folder, which is not the case in samba 3.4.5. regards -ERIK
Created attachment 5412 [details] This is a debug-run from the user being able to change security for folder test2 This is a smbd-debug-level10-log from the user 1) browsing \\<ipadress>\test$ and then 2) watching the security tab on folder test2, seeing that he is able to change security here
Created attachment 5413 [details] This is a debug-run from the user not being able to change security for folder test2 This is a debug-10-log from smbd when the user: 1) browses \\<ipadress-of-samba-server>\test$ 2) opens up the security-tab on folder test2, observing (and getting pop-up-notice from windows) that he can only view these settings) Both this and the last debug-attachment was run from windows2000sp4
I think permission changing works as intended in current Samba releases. If not, please file a new report for any issues that you see with recent version.