[Samba] Re: Ntconfig.pol policies not applied immediatly after been read

xavier x.poirier at free.fr
Thu Apr 20 21:43:22 GMT 2006


I've not seen this thread before  (as I'm with a 3.0.20 version !) :

And this one for the Bugzilla link :


I've not done like Robert and Tomek with "NETLOGON" look here :

   path = /var/lib/samba/netlogon/
   read only = no
   public = yes
   write list = @"Domain Admins"
   create mask = 0755         <-------- this is not necessary 0750 is sufficient
   directory mask = 0755      <-------- The same 0750 is good

   path = /var/lib/samba/profiles
   read only = no
   create mask = 0755         <-------- You can DELETE this line if you use ACLS
   directory mask = 0755      <-------- The same , can DELETE this
   browseable = No
   guest ok = Yes
   profile acls = yes
   inherit permissions = yes
   inherit acls = yes         <-------- Using filsystem with acls support
   acl check permissions = no

The main advantage of doing this with ACLS is that you can put your 
Domain Administrator to have rights  onto the  Users Profiles (thats why 
we must put acl "check permissions = no" because of microsoft 
implementation is to verify that ONLY the user owner of his proper 
profile dir can RWX. Set ACLS onto

/var/lib/samba/profiles    like this :

# file: profiles
# owner: root
# group: domainusers
default user::rwx
default user:root:rwx
default group:domainusers:---   <--- for me I've let rwx here but this should work like this.
default other::---
default mask::rwx

The only thing I've seen a little strange , is in the user computer into 
c:\documents and setting\%userprofile%\directories ..
many dirs. have the read only attribute set onto the windows properties 
(the default profile is copied from the PDC/Samba domain), but seems to 
not affect the handling of files ..
perhaps of my 3.0.20 version ...


xavier a écrit :
> hi,
> My NTconfig.pol file into \\netlogon share seems to be good...
> in the logs the file is readed with no problem at my user logon.
> The strange think I have is that the policy I've made is applied if my 
> user loggon onto a windows 2003 server we have for testing purpose ! 
> (If I loggon first onto my win2k machine, the policy is not applied ...)
> logging after onto my win2k computer takes advantage of the policy 
> made before.
> I can't explain myself what is happening there, strange ...
> what could be the difference between those two loggings onto 2 
> different OS.
> Xavier

More information about the samba mailing list