[Samba] Samba4 and sysvol share
felix at epepm.cupet.cu
felix at epepm.cupet.cu
Wed Sep 28 13:57:26 MDT 2011
> Definitely that is where your login scripts and so forth are or the
> general
> place that you are suppose to put them. I've got to go do some work over
> at
> a place I have a Samba4 PDC setup tomorrow.
>
> Did you mess with the permissions or don't recall? Was it like that when
> you installed?
>
> I wouldn't allow Everyone to have access. Go the Authenticated Users
> route
> or maybe Domain Users with read/execute permissions. I'll check all the
> different users on it tomorrow for ya and drop back a line to this thread
> though. There might be a phantom User that only Samba knows about that is
> listed there that might be specific to your install.
>
> It would be nice if someone chimed in here, have been wondering about
> that... ;)
>
> Chris
>
Hi Chris:
It's a recent test installation using Samba4 alpha 17 tar. I have done
nothing with the permissions. I haven't even touched smb.conf.
I was browsing the content of sysvol in my Samba4 server with a domain
user I created and then I tried deleting a file and I could do it, tried
with the whole content of sysvol and I could delete all. Then I
reinstalled samba and tried again with a new domain user, and could do it
again.
The permission on a Windows 2003 server are as shown below and you're
right only authenticated users should have read and execute permissions.
But I tried with a windows client in a virtual pc against a real windows
2003 server and surprisingly I could list the content of sysvol in spite
of this virtual pc not being a member of the windows 2003 server domain.
That's why I suggested that may be it would be ok to allow everyone read
and execute permissions.
> On Wed, Sep 28, 2011 at 1:55 PM, <felix at epepm.cupet.cu> wrote:
>
>> > On 28/09/2011 04:59, felix at epepm.cupet.cu wrote:
>> >>>> On 27/09/2011 13:07, felix at epepm.cupet.cu wrote:
>> >>>>> Hello.
>> >>>>> I noticed that any domain user can delete the content of the
>> shared
>> >>>>> folder
>> >>>>> sysvol in the domain controller from a windows client.
>> >>>>>
>> >>>>> How can I avoid that?
>> >>>>>
>> >>>>> Greetings,
>> >>>>> Felix
>> >>>>>
>> >>>> What's the default windows behavior with this ?
>> >>>>
>> >>>> Matthieu.
>> >>>>
>> >>> Windows users Windows permissions
>> >>> -------------------------------------------------
>> >>> Domain Admins-----------> Full Access
>> >>> Authenticated Users------> Read& Execute, List folder contents,
>> Read
>> >>> CREATOR OWNER-----------> Special permissions (Maybe we don't need
>> >>> this)
>> >>> Server Operators--------> Read& Execute, List folder contents,
>> Read
>> >>> SYSTEM------------------> Full Access
>> >>>
>> >> I think that what it is needed here is:
>> >> Domain Admins-------------> Full Access
>> >> and everybody else--------> Read& Execute, List folder contents,
>> Read
>> >>
>> >> I think that GPOs and some scripts are delivered to windows clients
>> >> through sysvol, that's why I don't want any of my users to be able to
>> >> delete the sysvol content.
>> >>
>> >> What should I do to accomplish that goal?
>> > In theory we should have the ACLs ok, I have to check this things but
>> it
>> > won't be before next week I'm at IOLAB with microsoft this week
>> focusing
>> > on FRS replication.
>> >
>> >
>> > Sorry.
>> >
>> > Matthieu.
>> >
>> I understand. I'll be waiting for an answer.
>> Thanks.
>>
>> Felix.
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list