[Samba] Rights issue on GPO
Rowland penny
rpenny at samba.org
Mon Jun 27 18:14:45 UTC 2016
On 27/06/16 14:13, L.P.H. van Belle wrote:
>> Two things Louis:
>>
>> if you look very closely at the differences in the 'ERROR' message, you
>> will find the only difference is this:
>>
>> O:LAG:DAD:PAR(
>>
>> against the expected:
>>
>> O:DAG:DAD:PAR(
>>
>> The returned ACL is owned by the 'Local Admins', but it should be owned
>> by 'Domain Admins'. As far as I can see, windows doesn't really care who
>> owns an object, as long as the ACEs are correct and they are!
>>
>> Secondly, more than happy to try adding a GPO, only problem is, I have
>> never really added one, can you point me at a good howto ?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> Hai Rowland,
>
> I just checked on a windows 2008 R2 server.
>
> Sysvol security rights should be.
>
> DOMAIN\Server Operators
> Creator Owner
> Authenticated Users
> SYSTEM
> DOMAIN\Administrators contains :
> "Domain Admins",Adminstrator and "Enterprise Admins"
Hi Louis, I have been doing some checking and found this microsoft page:
https://technet.microsoft.com/en-us/library/cc816750%28v=ws.10%29.aspx
It lists the default settings and it doesn't match either your list or
what Samba uses, it uses:
Authenticated Users
Server Operators
Built-in administrators
SYSTEM
Creator Owner
Samba uses this:
SYSVOL_ACL =
"O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
Which boils down to:
Built-in administrators
Server Operators
SYSTEM
Authenticated Users
There is no 'Creator Owner'
The ACL for the Policies directory doesn't have 'Creator Owner' either
and according to the microsoft page, it should.
Rowland
>
> And the "DOMAIN\Adminstrators" is in the Buildin OU.
>
> And same for "DOMAIN\Users" contains:
> Authenticated Users, Domain Users, INTERACTIVE)
>
> So imo this is a bug as Achim told.
> Alle local security groups must map correctly.
> And but must try to not mix BUILDIN\localgroup and DOMAIN\localgroup
>
> So imo, if samba is uses as standalone server all Security groups map to BUILDIN\localgroups.
>
> And when its a domain AD DC server.
> BUILDIN maps to OU=Buildin and here are the correct groups like DOMAIN\localgroups
>
>
> Greetz,
>
> Louis
>
>
>
>
More information about the samba
mailing list