[Samba] Windows ACL clarification for Roaming Profiles share
Lenard Fudala
lfudala at themxgroup.com
Wed Feb 15 22:47:37 UTC 2017
The following wiki pages have varying suggestions on what to use for
Windows ACLs on a Samba share.
https://wiki.samba.org/index.php/Implementing_roaming_profiles
https://wiki.samba.org/index.php/User_Home_Folders
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
The different suggestions on the referenced wiki pages, without explanation
of the choices, causes a lot of confusion. Most importantly, they reference
each other without clarifying exactly what parts to use from the other
pages.
The goal here is Roaming Profiles and Folder Redirection, each with its own
share. Samba 4.3.11 on Ubuntu 16.04.2 with Windows 7 clients for now,
Windows 10 eventually.
What I've managed to come up with for share permissions:
Authenticated Users
- Read
- Change (can't create directory without)
Domain Admins
- Full control
For the ACLs on the root folder of the share:
CREATOR OWNER - Subfolders and files only
- Full Control
Domain Admins - This folder, subfolders, and files
- Full Control
Authenticated Users - This folder only
- Traverse folder/execute file, List folder/read data, Create
folder/append data
The majority of the guides outside of the wiki suggest Windows wants to see
SYSTEM in the ACL list with Full Control. So far, in isolated testing, my
permissions work fine. Is there any need for this extra ACL that may not be
obvious currently?
-Lenard
More information about the samba
mailing list