Bug 9036 - read only is not fully read only
Summary: read only is not fully read only
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.0 beta3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Marc Muehlfeld
QA Contact: samba4-qa@samba.org
Depends on:
Reported: 2012-07-12 08:03 UTC by Marc Muehlfeld
Modified: 2014-10-13 01:48 UTC (History)
0 users

See Also:

smb.conf (447 bytes, text/plain)
2012-07-12 13:24 UTC, Marc Muehlfeld
no flags Details
logfiles (18.86 KB, application/octet-stream)
2012-07-12 13:26 UTC, Marc Muehlfeld
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2012-07-12 08:03:56 UTC
I setup a share
    path = /srv/samba/test

with the following permissions:
drwxr-xr-x 2 root root 4096 12. Jul 09:43 /srv/samba/test/

If I have configured the the share in smb.conf without "read only = no". Then the domain admin can create files/directories on the share, but can't delete them (normal users can't do both). Also I can't configure any permissions on the share/folders. Only the creation of files/folders is possible, what is not 100% read-only.

Also if I set "read only = yes" on the share this happens.
Comment 1 Michael Adam 2012-07-12 08:20:57 UTC
Hi Marc,

thanks for the report.

Could you attach your complete configuration?

And if possible level 10 logs of the
admin access (successful create and failing delete)

Cheers - Michael
Comment 2 Marc Muehlfeld 2012-07-12 13:24:36 UTC
Created attachment 7696 [details]
Comment 3 Marc Muehlfeld 2012-07-12 13:26:16 UTC
Created attachment 7697 [details]

I must correct my previous statement. It's only possible to create folders (not files) as domain admin, if the share is read only = yes (or not set).

Find attached the logs of creating a folder "Neuer Ordner" and trying to delete it again.
Comment 4 Marc Muehlfeld 2012-07-16 10:24:01 UTC
I don't know if this is a different problem, or maybe it's related to this one:

The domain admin seems to be handled different on some other places too, like here:
I had my logonscript batch file on the netlogon share with permission 644 (rw-r--r-). It was executed on login as domain administrator, but not as normal user. After I changed the permissions to 755 (rwx-r-xr-x) it was executed for all normal users, too. (Filesystem of the netlogon share is ext4 with user_xattr enabled).
Comment 5 Marc Muehlfeld 2014-10-13 01:48:08 UTC
This is fixed at least in 4.2rc1. Haven't tried older versions.

Shares with
   read only = Yes
or where it's not defined (default = yes), are read-only now for the Domain Admin, too.