Creating a share with ACLs for ActiveDirectory groups like:
* "domain users" - ReadOnly
* "domain admins" - Read&Write
actually creates the following in the smb.conf:
[share]comment = Share commentpath = /mnt/array1/sharebrowsable = yesprintable = nowritable = yesvalid users = @DOMAIN+"domain users",@DOMAIN+"domain admins"read list = ,@DOMAIN+"domain users"force create mode = 666force security mode = 666force directory mode = 777force directory security mode = 777csc policy = manual
Unfortunatelly "domain admins" members are in most cases "domain unsers" members as well, so even they have been assigned the "Read&Write" ACL in WebAdmin they are denied write access. Thus the smb.conf should be extended to:
[share]comment = Share commentpath = /mnt/array1/sharebrowsable = yesprintable = nowritable = yesvalid users = @DOMAIN+"domain users",@DOMAIN+"domain admins"read list = ,@DOMAIN+"domain users"write list = ,@DOMAIN+"domain admins"force create mode = 666force security mode = 666force directory mode = 777force directory security mode = 777csc policy = manual
DomainAdmins vs. DomainUsers is just one example. Multiple group membership and group nesting is used quite often, so this "write list" Idea should be on top of the whish list in my opinion :-)
Thank you!