[Samba] Samba4 and sysvol share
felix at epepm.cupet.cu
felix at epepm.cupet.cu
Wed Sep 28 14:41:11 MDT 2011
>> Definitely that is where your login scripts and so forth are or the
>> general
>> place that you are suppose to put them. I've got to go do some work
>> over
>> at
>> a place I have a Samba4 PDC setup tomorrow.
>>
>> Did you mess with the permissions or don't recall? Was it like that
>> when
>> you installed?
>>
>> I wouldn't allow Everyone to have access. Go the Authenticated Users
>> route
>> or maybe Domain Users with read/execute permissions. I'll check all the
>> different users on it tomorrow for ya and drop back a line to this
>> thread
>> though. There might be a phantom User that only Samba knows about that
>> is
>> listed there that might be specific to your install.
>>
>> It would be nice if someone chimed in here, have been wondering about
>> that... ;)
>>
>> Chris
>>
> Hi Chris:
> It's a recent test installation using Samba4 alpha 17 tar. I have done
> nothing with the permissions. I haven't even touched smb.conf.
> I was browsing the content of sysvol in my Samba4 server with a domain
> user I created and then I tried deleting a file and I could do it, tried
> with the whole content of sysvol and I could delete all. Then I
> reinstalled samba and tried again with a new domain user, and could do it
> again.
>
> The permission on a Windows 2003 server are as shown below and you're
> right only authenticated users should have read and execute permissions.
> But I tried with a windows client in a virtual pc against a real windows
> 2003 server and surprisingly I could list the content of sysvol in spite
> of this virtual pc not being a member of the windows 2003 server domain.
> That's why I suggested that may be it would be ok to allow everyone read
> and execute permissions.
>
My mistake. Unauthenticated users have no access to sysvol in windows 2003
server. Sorry!!!
>
>
>> On Wed, Sep 28, 2011 at 1:55 PM, <felix at epepm.cupet.cu> wrote:
>>
>>> > On 28/09/2011 04:59, felix at epepm.cupet.cu wrote:
>>> >>>> On 27/09/2011 13:07, felix at epepm.cupet.cu wrote:
>>> >>>>> Hello.
>>> >>>>> I noticed that any domain user can delete the content of the
>>> shared
>>> >>>>> folder
>>> >>>>> sysvol in the domain controller from a windows client.
>>> >>>>>
>>> >>>>> How can I avoid that?
>>> >>>>>
>>> >>>>> Greetings,
>>> >>>>> Felix
>>> >>>>>
>>> >>>> What's the default windows behavior with this ?
>>> >>>>
>>> >>>> Matthieu.
>>> >>>>
>>> >>> Windows users Windows permissions
>>> >>> -------------------------------------------------
>>> >>> Domain Admins-----------> Full Access
>>> >>> Authenticated Users------> Read& Execute, List folder contents,
>>> Read
>>> >>> CREATOR OWNER-----------> Special permissions (Maybe we don't need
>>> >>> this)
>>> >>> Server Operators--------> Read& Execute, List folder contents,
>>> Read
>>> >>> SYSTEM------------------> Full Access
>>> >>>
>>> >> I think that what it is needed here is:
>>> >> Domain Admins-------------> Full Access
>>> >> and everybody else--------> Read& Execute, List folder contents,
>>> Read
>>> >>
>>> >> I think that GPOs and some scripts are delivered to windows clients
>>> >> through sysvol, that's why I don't want any of my users to be able
>>> to
>>> >> delete the sysvol content.
>>> >>
>>> >> What should I do to accomplish that goal?
>>> > In theory we should have the ACLs ok, I have to check this things but
>>> it
>>> > won't be before next week I'm at IOLAB with microsoft this week
>>> focusing
>>> > on FRS replication.
>>> >
>>> >
>>> > Sorry.
>>> >
>>> > Matthieu.
>>> >
>>> I understand. I'll be waiting for an answer.
>>> Thanks.
>>>
>>> Felix.
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list