[Samba] Samba4 and sysvol share

Christopher Whitehead cwhitehead73 at gmail.com
Wed Sep 28 13:25:45 MDT 2011


Definitely that is where your login scripts and so forth are or the general
place that you are suppose to put them.  I've got to go do some work over at
a place I have a Samba4 PDC setup tomorrow.

Did you mess with the permissions or don't recall?  Was it like that when
you installed?

I wouldn't allow Everyone to have access.  Go the Authenticated Users route
or maybe Domain Users with read/execute permissions.  I'll check all the
different users on it tomorrow for ya and drop back a line to this thread
though.  There might be a phantom User that only Samba knows about that is
listed there that might be specific to your install.

It would be nice if someone chimed in here, have been wondering about
that... ;)

Chris

On Wed, Sep 28, 2011 at 1:55 PM, <felix at epepm.cupet.cu> wrote:

> > On 28/09/2011 04:59, felix at epepm.cupet.cu wrote:
> >>>> On 27/09/2011 13:07, felix at epepm.cupet.cu wrote:
> >>>>> Hello.
> >>>>> I noticed that any domain user can delete the content of the shared
> >>>>> folder
> >>>>> sysvol in the domain controller from a windows client.
> >>>>>
> >>>>> How can I avoid that?
> >>>>>
> >>>>> Greetings,
> >>>>> Felix
> >>>>>
> >>>> What's the default windows behavior with this ?
> >>>>
> >>>> Matthieu.
> >>>>
> >>> Windows users              Windows permissions
> >>> -------------------------------------------------
> >>> Domain Admins----------->  Full Access
> >>> Authenticated Users------>  Read&  Execute, List folder contents, Read
> >>> CREATOR OWNER----------->  Special permissions (Maybe we don't need
> >>> this)
> >>> Server Operators-------->  Read&  Execute, List folder contents, Read
> >>> SYSTEM------------------>  Full Access
> >>>
> >> I think that what it is needed here is:
> >> Domain Admins------------->  Full Access
> >> and everybody else-------->  Read&  Execute, List folder contents, Read
> >>
> >> I think that GPOs and some scripts are delivered to windows clients
> >> through sysvol, that's why I don't want any of my users to be able to
> >> delete the sysvol content.
> >>
> >> What should I do to accomplish that goal?
> > In theory we should have the ACLs ok, I have to check this things but it
> > won't be before next week I'm at IOLAB with microsoft this week focusing
> > on FRS replication.
> >
> >
> > Sorry.
> >
> > Matthieu.
> >
> I understand. I'll be waiting for an answer.
> Thanks.
>
> Felix.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list