Description of problem:

AD user is able to change permission for administrator when accessing samba share.By logging in to a AD USER account it is allowing to change permission for administrator account.Which is not allowing any access to administrator to access directory for which USER has changed permission.

Version-Release number of selected component (if applicable):

samba-4.1.17-13.el7rhgs.x86_64

How reproducible:

Always

Steps to Reproduce:

Scenario 1:
1. Login as an USER create a directory in samba share. eg. FOLDER_1
2. Set Read only permissions to FOLDER_1 for ADIMINISTRATOR
3. Login as an ADMINISTRATOR
4. Try to create a directory or text file in USER created directory i.e FOLDER_1.
5. Access denied.

Scenario 2:
1. Login as an ADMINISTRATOR create a directory in samba share. eg. FOLDER_A
2. Set full access permission to FOLDER_A for USER.
3. Login as an USER.
4. Creare a directory FOLDER_U inside FOLDER_A.
5. Set Read only permissions to FOLDER_U for ADIMINISTRATOR
6. Login as an ADMINISTRATOR.
7. Try to create a directory or text file in USER created directory i.e FOLDER_U.
8. Access denied.

Actual results:

AD User able to change permission for Administrator.

Expected results:

AD User should not be able to change permissions for Administrator

Additional info: