[Samba] Samba4 and sysvol share

Matthieu Patou mat at samba.org
Mon Nov 7 02:56:54 MST 2011 

Hello Felix,

Sorry for the very late answer,

On 27/09/2011 23:37, felix at epepm.cupet.cu wrote:
>> On 27/09/2011 13:07, felix at epepm.cupet.cu wrote:
>>> Hello.
>>> I noticed that any domain user can delete the content of the shared
>>> folder
>>> sysvol in the domain controller from a windows client.
>>>
>>> How can I avoid that?
>>>
>>> Greetings,
>>> Felix
>>>
>> What's the default windows behavior with this ?
>>
> Windows users              Windows permissions
> -------------------------------------------------
> Domain Admins----------->  Full Access
> Authenticated User------>  Read&  Execute, List folder contents, Read
> CREATOR OWNER----------->  Special permissions (Maybe we don't need this)
> Server Operators-------->  Read&  Execute, List folder contents, Read
> SYSTEM------------------>  Full Access
>
> Thanks for your attention.
> Felix.
>
Well I remade a test today, in gpmc.msc (group policy management 
console), I have no errors from Windows about the ACLs of the folders 
for my policies.

I also ran XCACLS.vbs (can be found here: http://bit.ly/sOCc2E) on v: (I 
mapped \\server.domain.tld\sysvol to v:)


V:\>cscript "\\VBOXSVR\exchange\windows admin\XCACLS.vbs" v:
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Starting XCACLS.VBS (Version: 5.2) Script at 07/11/2011 10:40:24

Startup directory:
"V:\"

Arguments Used:
         Filename = "v:"



**************************************************************************
Directory: V:\

ControlFlags: 36868
Permissions:
Type     Username                Permissions           Inheritance

Allowed  BUILTIN\Administrators  Full Control          This Folder, Subfolde
Allowed  \                       Read and Execute      This Folder, Subfolde
Allowed  NT AUTHORITY\SYSTEM     Full Control          This Folder, Subfolde
Allowed  NT AUTHORITY\Authentica Read and Execute      This Folder, Subfolde

No Auditing set

Owner: TEST\administrator
**************************************************************************


Operation Complete
Elapsed Time: 0,6328125 seconds.

Ending Script at 07/11/2011 10:40:24

As you can see no write access from the "normal" user (authenticated 
users), just a read and execute access.

For info here is my net use:

V:\>net use
New connections will be remembered.


Status       Local     Remote                    Network

------------------------------------------------------------------------------
OK           V:        \\ares.test.samba.home.matws.net\sysvol
                                                 Microsoft Windows Network





-- 
Matthieu Patou
Samba Team
http://samba.org

More information about the samba-technical mailing list