Author Topic: SAMBA: honoring Read+Write above Read Only ACL  (Read 2290 times)

tr3027

  • Calf
  • *
  • Posts: 1
SAMBA: honoring Read+Write above Read Only ACL
« on: November 21, 2012, 09:21:48 am »

Creating a share with ACLs for ActiveDirectory groups like:

 * "domain users" - ReadOnly

 * "domain admins" - Read&Write

 

actually creates the following in the smb.conf: 

[share]comment = Share commentpath = /mnt/array1/sharebrowsable = yesprintable = nowritable = yesvalid users = @DOMAIN+"domain users",@DOMAIN+"domain admins"read list = ,@DOMAIN+"domain users"force create mode = 666force security mode = 666force directory mode = 777force directory security mode = 777csc policy = manual

 

Unfortunatelly "domain admins" members are in most cases "domain unsers" members as well, so even they have been assigned the "Read&Write" ACL in WebAdmin they are denied write access. Thus the smb.conf should be extended to:

[share]comment = Share commentpath = /mnt/array1/sharebrowsable = yesprintable = nowritable = yesvalid users = @DOMAIN+"domain users",@DOMAIN+"domain admins"read list = ,@DOMAIN+"domain users"write list = ,@DOMAIN+"domain admins"force create mode = 666force security mode = 666force directory mode = 777force directory security mode = 777csc policy = manual

 

 

DomainAdmins vs. DomainUsers is just one example. Multiple group membership and group nesting is used quite often, so this "write list" Idea should be on top of the whish list in my opinion :-)

 

Thank you!