On 18 Jun 2003 at 15:39, Dragan Krnic wrote: > >>The show-stopper right now is this: we need to be > >>able to assign "real" Full Control permissions: a > >>user who has "Full control" on a directory should > >>be able to Read, Write, eXecute ( of course) [ this > >>can be easily achieved with ACLs ] *plus* being > >>able to give away Full Control to other users too > >>[being able to override inherited ACLs would be a > >>plus, too]. Is this feasible (remember smbd runs as > >>root... )? Has somebody thought about implementing > >>this ? > > If you have Full Control over a directory (e.g. as > root, or own it or have rwx on it), you can give FC > (rwx) to others. Is it perhaps the other way around, > that you want to stop this delegation, unless an FC > EA explicitely allows it? I'm not sure if it can be > a show-stopper or if it really makes a difference.
In our case, the only users who require "Full Control" access are admins, so we use "admin users = @domain/domain admins". Not ideal, but it gives us the NT equivalence we require, and has allowed us to migrate a large portion of our file storage to Samba. We find the option "nt acl support = no" to be a nice feature that is not available on NT. It prevents our students from messing with ACLs (for their own files) which had been a problem on NT. We provide a second admin access only share which provides ACL support for admins. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Shawn Wright, I.T. Manager Shawnigan Lake School http://www.sls.bc.ca [EMAIL PROTECTED] "Friends don't let friends use Outlook." -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
