[Samba] Windows ACL clarification for Roaming Profiles share
L.P.H. van Belle
belle at bazuin.nl
Fri Feb 17 08:26:51 UTC 2017
> What uses the SYSTEM principal on the Sysvol share?
Every computer or user the has a GPO set.
Do read:
https://technet.microsoft.com/en-us/library/dd851678(v=ws.11).aspx
And see here, Security options :
Computer Configuration , by default the task is run in the security context of the SYSTEM account.
i noticed
wbinfo --sid-to-name=S-1-5-18 on a 4.5.3 ADDC does not work
but
wbinfo --sid-to-name=S-1-5-18 on a 4.5.5 member does work.
Im still testing my 4.5.5. samba deb packages, so can someone confirm above that. This is resolved in 4.5.5. on the AD also?
Then i'll have to speedup my testing and deploy 4.5.5 i really really need the system to get correct.
Info about that getting correct, see these on the list:
https://lists.samba.org/archive/samba/2016-December/thread.html#204945
All info you need and steps to reproduces are found in subject :
"Security Principals, and SID's mapping bug"
https://lists.samba.org/archive/samba/2017-January/206112.html
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marc Muehlfeld
> via samba
> Verzonden: donderdag 16 februari 2017 17:13
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] Windows ACL clarification for Roaming Profiles
> share
>
> Am 16.02.2017 um 15:47 schrieb Rowland Penny via samba:
> >> On Windows, the SYSTEM account is used by services on the local host
> >> (in your case, the local host is your Samba server). For example,
> >> virus scanners might use it to get access to all files. However,
> >> there is nothing on your Samba server that uses the SYSTEM account.
> >> Thus it makes no difference if you add it or not.
> >>
> >
> > Marc, You might want to re-consider that statement, SYSTEM is used
> > extensively in sysvol.
>
>
> What uses the SYSTEM principal on the Sysvol share?
>
> Is it really used (by what?) or do we just have this princial in the
> ACLs to be consistent with a Windows DC?
>
>
> Regards,
> Marc
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list