sysvol permissions

Stefan Metzmacher metze at samba.org
Mon Jun 27 20:30:19 UTC 2016 

Hi Rowland,

I started with something like this some years ago, maybe you can make
some use of
it.

See
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls

The important ones are:
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=56ac74b3a2cf279ae3b8ad6d3714720cfe01fc51
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=cf79039ed7df73606ce4d7fb1a94da4f5f3aadbb
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=2888f90beec65f7ff3f6838aa19f3b9d56dff5f0
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=7374d99576258283381b51eef419d53a6fc4ae81
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=d3584847bd3cf9ed508b720c4765be8dff81f7e8
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=3ec3a671a40d7165d70202d897db04d989d421c2
https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=3e3b4add940e467c74e7d980e833c656a75a9b9b

metze

Am 27.06.2016 um 20:51 schrieb Rowland Penny:
> Hi, in provision '__init__.py , the permissions for sysvol and the
> policies directory are set to this:
> 
> SYSVOL_ACL =
> "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
> 
> POLICIES_ACL =
> "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
> 
> 
> But on this Microsoft webpage:
> 
> https://technet.microsoft.com/en-us/library/cc816750%28v=ws.10%29.aspx
> 
> They are shown as this:
> 
> "%Sysvol%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
> 
> 
> "%Sysvol%\domain\policies",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"
> 
> 
> 
> Which would mean that they should be set to:
> 
> SYSVOL_ACL =
> "O:LAG:BAD:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
> 
> POLICIES_ACL =
> "O:LAG:BAD:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"
> 
> 
> This is basically the same as Samba's but with the addition of 'Creator
> Owner'
> 
> Finally, the owner is given as 'O:LA', this comes up time and time again
> on the Samba mailing list, 'sysvolreset' errors out because the owner
> has been changed to 'O:DA', presumably when a GPO is added.
> 
> Now before I waste my time creating a Patch to correct the above
> problems, has anybody got any objections to the changes i.e. changing
> the owner and adding 'Creator Owner'
> 
> Rowland
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160627/de7ff28d/signature.sig>

More information about the samba-technical mailing list