sysvol permissions

Rowland Penny repenny241155 at gmail.com
Mon Jun 27 20:50:14 UTC 2016 

On 27/06/16 21:30, Stefan Metzmacher wrote:
> Hi Rowland,
>
> I started with something like this some years ago, maybe you can make
> some use of
> it.
>
> See
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls
>
> The important ones are:
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=56ac74b3a2cf279ae3b8ad6d3714720cfe01fc51
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=cf79039ed7df73606ce4d7fb1a94da4f5f3aadbb
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=2888f90beec65f7ff3f6838aa19f3b9d56dff5f0
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=7374d99576258283381b51eef419d53a6fc4ae81
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=d3584847bd3cf9ed508b720c4765be8dff81f7e8
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=3ec3a671a40d7165d70202d897db04d989d421c2
> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=3e3b4add940e467c74e7d980e833c656a75a9b9b
>
> metze
>
> Am 27.06.2016 um 20:51 schrieb Rowland Penny:
>> Hi, in provision '__init__.py , the permissions for sysvol and the
>> policies directory are set to this:
>>
>> SYSVOL_ACL =
>> "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
>>
>> POLICIES_ACL =
>> "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
>>
>>
>> But on this Microsoft webpage:
>>
>> https://technet.microsoft.com/en-us/library/cc816750%28v=ws.10%29.aspx
>>
>> They are shown as this:
>>
>> "%Sysvol%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
>>
>>
>> "%Sysvol%\domain\policies",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"
>>
>>
>>
>> Which would mean that they should be set to:
>>
>> SYSVOL_ACL =
>> "O:LAG:BAD:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
>>
>> POLICIES_ACL =
>> "O:LAG:BAD:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"
>>
>>
>> This is basically the same as Samba's but with the addition of 'Creator
>> Owner'
>>
>> Finally, the owner is given as 'O:LA', this comes up time and time again
>> on the Samba mailing list, 'sysvolreset' errors out because the owner
>> has been changed to 'O:DA', presumably when a GPO is added.
>>
>> Now before I waste my time creating a Patch to correct the above
>> problems, has anybody got any objections to the changes i.e. changing
>> the owner and adding 'Creator Owner'
>>
>> Rowland
>>
>>
>>

Thanks Stefan, I will take an in depth look at these (just had a skim 
through), but was there some reason they didn't make it into Samba ? 
Just so I know what to zero in on.

Rowland

More information about the samba-technical mailing list