sysvol permissions
Stefan Metzmacher
metze at samba.org
Mon Jun 27 21:01:58 UTC 2016
Am 27.06.2016 um 22:50 schrieb Rowland Penny:
> On 27/06/16 21:30, Stefan Metzmacher wrote:
>> Hi Rowland,
>>
>> I started with something like this some years ago, maybe you can make
>> some use of
>> it.
>>
>> See
>> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls
>>
>>
>> The important ones are:
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=56ac74b3a2cf279ae3b8ad6d3714720cfe01fc51
>>
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=cf79039ed7df73606ce4d7fb1a94da4f5f3aadbb
>>
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=2888f90beec65f7ff3f6838aa19f3b9d56dff5f0
>>
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=7374d99576258283381b51eef419d53a6fc4ae81
>>
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=d3584847bd3cf9ed508b720c4765be8dff81f7e8
>>
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=3ec3a671a40d7165d70202d897db04d989d421c2
>>
>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=3e3b4add940e467c74e7d980e833c656a75a9b9b
>>
>>
>> metze
>>
>> Am 27.06.2016 um 20:51 schrieb Rowland Penny:
>>> Hi, in provision '__init__.py , the permissions for sysvol and the
>>> policies directory are set to this:
>>>
>>> SYSVOL_ACL =
>>> "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
>>>
>>>
>>> POLICIES_ACL =
>>> "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
>>>
>>>
>>>
>>> But on this Microsoft webpage:
>>>
>>> https://technet.microsoft.com/en-us/library/cc816750%28v=ws.10%29.aspx
>>>
>>> They are shown as this:
>>>
>>> "%Sysvol%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
>>>
>>>
>>>
>>> "%Sysvol%\domain\policies",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"
>>>
>>>
>>>
>>>
>>> Which would mean that they should be set to:
>>>
>>> SYSVOL_ACL =
>>> "O:LAG:BAD:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
>>>
>>>
>>> POLICIES_ACL =
>>> "O:LAG:BAD:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"
>>>
>>>
>>>
>>> This is basically the same as Samba's but with the addition of 'Creator
>>> Owner'
>>>
>>> Finally, the owner is given as 'O:LA', this comes up time and time again
>>> on the Samba mailing list, 'sysvolreset' errors out because the owner
>>> has been changed to 'O:DA', presumably when a GPO is added.
>>>
>>> Now before I waste my time creating a Patch to correct the above
>>> problems, has anybody got any objections to the changes i.e. changing
>>> the owner and adding 'Creator Owner'
>>>
>>> Rowland
>>>
>>>
>>>
>
> Thanks Stefan, I will take an in depth look at these (just had a skim
> through), but was there some reason they didn't make it into Samba ?
> Just so I know what to zero in on.
It may not work completely and I had no time to debug it through.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160627/2afaeba7/signature.sig>
More information about the samba-technical
mailing list