[Samba] Samba4 and sysvol share

Christopher Whitehead cwhitehead73 at gmail.com
Wed Sep 28 15:25:10 MDT 2011 

No problem.  That setup I was talking about is running same version of
Samba4 that you are.  Yea, that is definitely not good if someone could go
in there and change what login scripts were run or what they are suppose to
do.

If it is indeed this way, then definitely nice find on your end.  Will have
to be reported as config issue or something with Samba4 alpha17.

It will probably be after lunch before I can let ya know though.  I'm
waiting on a monitor to come in for a setup they needed.  So right after
that gets over here tomorrow will head over there and get back with ya.



On Wed, Sep 28, 2011 at 3:41 PM, <felix at epepm.cupet.cu> wrote:

> >> Definitely that is where your login scripts and so forth are or the
> >> general
> >> place that you are suppose to put them.  I've got to go do some work
> >> over
> >> at
> >> a place I have a Samba4 PDC setup tomorrow.
> >>
> >> Did you mess with the permissions or don't recall?  Was it like that
> >> when
> >> you installed?
> >>
> >> I wouldn't allow Everyone to have access.  Go the Authenticated Users
> >> route
> >> or maybe Domain Users with read/execute permissions.  I'll check all the
> >> different users on it tomorrow for ya and drop back a line to this
> >> thread
> >> though.  There might be a phantom User that only Samba knows about that
> >> is
> >> listed there that might be specific to your install.
> >>
> >> It would be nice if someone chimed in here, have been wondering about
> >> that... ;)
> >>
> >> Chris
> >>
> > Hi Chris:
> > It's a recent test installation using Samba4 alpha 17 tar. I have done
> > nothing with the permissions. I haven't even touched smb.conf.
> > I was browsing the content of sysvol in my Samba4 server with a domain
> > user I created and then I tried deleting a file and I could do it, tried
> > with the whole content of sysvol and I could delete all. Then I
> > reinstalled samba and tried again with a new domain user, and could do it
> > again.
> >
> > The permission on a Windows 2003 server are as shown below and you're
> > right only authenticated users should have read and execute permissions.
> > But I tried with a windows client in a virtual pc against a real windows
> > 2003 server and surprisingly I could list the content of sysvol in spite
> > of this virtual pc not being a member of the windows 2003 server domain.
> > That's why I suggested that may be it would be ok to allow everyone read
> > and execute permissions.
> >
> My mistake. Unauthenticated users have no access to sysvol in windows 2003
> server. Sorry!!!
>
> >
> >
> >> On Wed, Sep 28, 2011 at 1:55 PM, <felix at epepm.cupet.cu> wrote:
> >>
> >>> > On 28/09/2011 04:59, felix at epepm.cupet.cu wrote:
> >>> >>>> On 27/09/2011 13:07, felix at epepm.cupet.cu wrote:
> >>> >>>>> Hello.
> >>> >>>>> I noticed that any domain user can delete the content of the
> >>> shared
> >>> >>>>> folder
> >>> >>>>> sysvol in the domain controller from a windows client.
> >>> >>>>>
> >>> >>>>> How can I avoid that?
> >>> >>>>>
> >>> >>>>> Greetings,
> >>> >>>>> Felix
> >>> >>>>>
> >>> >>>> What's the default windows behavior with this ?
> >>> >>>>
> >>> >>>> Matthieu.
> >>> >>>>
> >>> >>> Windows users              Windows permissions
> >>> >>> -------------------------------------------------
> >>> >>> Domain Admins----------->  Full Access
> >>> >>> Authenticated Users------>  Read&  Execute, List folder contents,
> >>> Read
> >>> >>> CREATOR OWNER----------->  Special permissions (Maybe we don't need
> >>> >>> this)
> >>> >>> Server Operators-------->  Read&  Execute, List folder contents,
> >>> Read
> >>> >>> SYSTEM------------------>  Full Access
> >>> >>>
> >>> >> I think that what it is needed here is:
> >>> >> Domain Admins------------->  Full Access
> >>> >> and everybody else-------->  Read&  Execute, List folder contents,
> >>> Read
> >>> >>
> >>> >> I think that GPOs and some scripts are delivered to windows clients
> >>> >> through sysvol, that's why I don't want any of my users to be able
> >>> to
> >>> >> delete the sysvol content.
> >>> >>
> >>> >> What should I do to accomplish that goal?
> >>> > In theory we should have the ACLs ok, I have to check this things but
> >>> it
> >>> > won't be before next week I'm at IOLAB with microsoft this week
> >>> focusing
> >>> > on FRS replication.
> >>> >
> >>> >
> >>> > Sorry.
> >>> >
> >>> > Matthieu.
> >>> >
> >>> I understand. I'll be waiting for an answer.
> >>> Thanks.
> >>>
> >>> Felix.
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list