samba4 sysvol permissions?
Matthieu Patou
mat at samba.org
Thu Sep 22 20:30:39 MDT 2011
Hi Jeff,
On 22/09/2011 15:14, Jeff Sadowski wrote:
> In windows there are two places for permissions. The share permissions
> and the permissions of the directory itself. I was looking at the
> documentation but didn't see anything in samba4 docs except about
> setting the user_xattr flag which I did. Do I use xattr properties
> against "windows domain" groups and users? on each directory?
I'm not sure I got you right.
In Samba4 (and samba 3.x with the xattr_acl module) we store NT acls as
extended attributes (security.ntacls). You can dump it with getfattr -d
-m "" <myfile>.
The best way to set ACLs for the moment is to do them in windows.
Once you've defined the acls as you want you can use samba-tool to
affect acls on other files, you just have to specify the sddl of your
acls, for instance:
./bin/samba-tool ntacl set
O:S-1-5-21-539903172-2667966584-237549873-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
/tmp/p/sysvol/mydir
Will set the NTACL for this folder to
O:S-1-5-21-539903172-2667966584-237549873-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU).
You can have more information about SDDL at
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379567%28v=vs.85%29.aspx
The best way to get a SDDL is to dump it on a folder/file where you know
that you have set it the way you want.
For instance:
./bin/samba-tool ntacl get --as-sddl /tmp/p/sysvol
Will output
O:S-1-5-21-539903172-2667966584-237549873-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
Trying without the --sddl will output something more user readable but
it can't be reused.
Hope it makes (more) sense.
--
Matthieu Patou
Samba Team
http://samba.org
More information about the samba-technical
mailing list