[Samba] Samba4 and sysvol share

Christopher Whitehead cwhitehead73 at gmail.com
Thu Sep 29 18:32:50 MDT 2011


Alright, here is update Felix.

>From a default install, at least on the server I set up,  sysvol is
Authenticated Users(read/execute), Domain Admins(all), System(all). It and
all children.

As you dive deeper into folder structure there are some more  added like
Enterprise Admins and so forth(will full privileges).  I believe Owner is
also one as you get further down and it has no privileges set.

Chris

On Wed, Sep 28, 2011 at 4:25 PM, Christopher Whitehead <
cwhitehead73 at gmail.com> wrote:

> No problem.  That setup I was talking about is running same version of
> Samba4 that you are.  Yea, that is definitely not good if someone could go
> in there and change what login scripts were run or what they are suppose to
> do.
>
> If it is indeed this way, then definitely nice find on your end.  Will have
> to be reported as config issue or something with Samba4 alpha17.
>
> It will probably be after lunch before I can let ya know though.  I'm
> waiting on a monitor to come in for a setup they needed.  So right after
> that gets over here tomorrow will head over there and get back with ya.
>
>
>
> On Wed, Sep 28, 2011 at 3:41 PM, <felix at epepm.cupet.cu> wrote:
>
>> >> Definitely that is where your login scripts and so forth are or the
>> >> general
>> >> place that you are suppose to put them.  I've got to go do some work
>> >> over
>> >> at
>> >> a place I have a Samba4 PDC setup tomorrow.
>> >>
>> >> Did you mess with the permissions or don't recall?  Was it like that
>> >> when
>> >> you installed?
>> >>
>> >> I wouldn't allow Everyone to have access.  Go the Authenticated Users
>> >> route
>> >> or maybe Domain Users with read/execute permissions.  I'll check all
>> the
>> >> different users on it tomorrow for ya and drop back a line to this
>> >> thread
>> >> though.  There might be a phantom User that only Samba knows about that
>> >> is
>> >> listed there that might be specific to your install.
>> >>
>> >> It would be nice if someone chimed in here, have been wondering about
>> >> that... ;)
>> >>
>> >> Chris
>> >>
>> > Hi Chris:
>> > It's a recent test installation using Samba4 alpha 17 tar. I have done
>> > nothing with the permissions. I haven't even touched smb.conf.
>> > I was browsing the content of sysvol in my Samba4 server with a domain
>> > user I created and then I tried deleting a file and I could do it, tried
>> > with the whole content of sysvol and I could delete all. Then I
>> > reinstalled samba and tried again with a new domain user, and could do
>> it
>> > again.
>> >
>> > The permission on a Windows 2003 server are as shown below and you're
>> > right only authenticated users should have read and execute permissions.
>> > But I tried with a windows client in a virtual pc against a real windows
>> > 2003 server and surprisingly I could list the content of sysvol in spite
>> > of this virtual pc not being a member of the windows 2003 server domain.
>> > That's why I suggested that may be it would be ok to allow everyone read
>> > and execute permissions.
>> >
>> My mistake. Unauthenticated users have no access to sysvol in windows 2003
>> server. Sorry!!!
>>
>> >
>> >
>> >> On Wed, Sep 28, 2011 at 1:55 PM, <felix at epepm.cupet.cu> wrote:
>> >>
>> >>> > On 28/09/2011 04:59, felix at epepm.cupet.cu wrote:
>> >>> >>>> On 27/09/2011 13:07, felix at epepm.cupet.cu wrote:
>> >>> >>>>> Hello.
>> >>> >>>>> I noticed that any domain user can delete the content of the
>> >>> shared
>> >>> >>>>> folder
>> >>> >>>>> sysvol in the domain controller from a windows client.
>> >>> >>>>>
>> >>> >>>>> How can I avoid that?
>> >>> >>>>>
>> >>> >>>>> Greetings,
>> >>> >>>>> Felix
>> >>> >>>>>
>> >>> >>>> What's the default windows behavior with this ?
>> >>> >>>>
>> >>> >>>> Matthieu.
>> >>> >>>>
>> >>> >>> Windows users              Windows permissions
>> >>> >>> -------------------------------------------------
>> >>> >>> Domain Admins----------->  Full Access
>> >>> >>> Authenticated Users------>  Read&  Execute, List folder contents,
>> >>> Read
>> >>> >>> CREATOR OWNER----------->  Special permissions (Maybe we don't
>> need
>> >>> >>> this)
>> >>> >>> Server Operators-------->  Read&  Execute, List folder contents,
>> >>> Read
>> >>> >>> SYSTEM------------------>  Full Access
>> >>> >>>
>> >>> >> I think that what it is needed here is:
>> >>> >> Domain Admins------------->  Full Access
>> >>> >> and everybody else-------->  Read&  Execute, List folder contents,
>> >>> Read
>> >>> >>
>> >>> >> I think that GPOs and some scripts are delivered to windows clients
>> >>> >> through sysvol, that's why I don't want any of my users to be able
>> >>> to
>> >>> >> delete the sysvol content.
>> >>> >>
>> >>> >> What should I do to accomplish that goal?
>> >>> > In theory we should have the ACLs ok, I have to check this things
>> but
>> >>> it
>> >>> > won't be before next week I'm at IOLAB with microsoft this week
>> >>> focusing
>> >>> > on FRS replication.
>> >>> >
>> >>> >
>> >>> > Sorry.
>> >>> >
>> >>> > Matthieu.
>> >>> >
>> >>> I understand. I'll be waiting for an answer.
>> >>> Thanks.
>> >>>
>> >>> Felix.
>> >>>
>> >>> --
>> >>> To unsubscribe from this list go to the following URL and read the
>> >>> instructions:  https://lists.samba.org/mailman/options/samba
>> >>>
>> >> --
>> >> To unsubscribe from this list go to the following URL and read the
>> >> instructions:  https://lists.samba.org/mailman/options/samba
>> >>
>> >
>> >
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>


More information about the samba mailing list