[Samba] Windows ACL clarification for Roaming Profiles share

Marc Muehlfeld mmuehlfeld at samba.org
Fri Feb 17 06:58:58 UTC 2017

Am 16.02.2017 um 17:27 schrieb Rowland Penny via samba:
>> What uses the SYSTEM principal on the Sysvol share?
> Not sure if anything actually uses SYSTEM on Unix, probably not.

It's a Samba DC built-in account, thus I'm sure nothing outside Samba
uses it. Neither does Samba. Samba uses root privileges to access files,
if necessary.

> However, SYSTEM is used in sysvol and Windows expects it.

Clients, who are accessing the share, do not require it to be set on the
local filesystem the share uses on the server, because SYSTEM is a local
principal on each host (in this case, the DC that hosts the sysvol share).

The sysvol share works also if you remove the SYSTEM principal. The
principal is used, as everywhere else, to enable e. g. local services
that use the SYSTEM account, to access the content on the local file
system. That's why it is usually added to file system ACLs everywhere on
Windows, but it's nothing Windows expects nor requires.

For this reason, if you remove SYSTEM from the Sysvol's file system
ACLs, the share works completely the same. Regardless if you do this on
a Windows or on a Samba DC.


More information about the samba mailing list