[Samba] Windows ACL clarification for Roaming Profiles share
Rowland Penny
rpenny at samba.org
Fri Feb 17 09:28:31 UTC 2017
On Fri, 17 Feb 2017 07:58:58 +0100
Marc Muehlfeld <mmuehlfeld at samba.org> wrote:
> Am 16.02.2017 um 17:27 schrieb Rowland Penny via samba:
>
> > However, SYSTEM is used in sysvol and Windows expects it.
>
> Clients, who are accessing the share, do not require it to be set on
> the local filesystem the share uses on the server, because SYSTEM is
> a local principal on each host (in this case, the DC that hosts the
> sysvol share).
>
> The sysvol share works also if you remove the SYSTEM principal. The
> principal is used, as everywhere else, to enable e. g. local services
> that use the SYSTEM account, to access the content on the local file
> system. That's why it is usually added to file system ACLs everywhere
> on Windows, but it's nothing Windows expects nor requires.
>
> For this reason, if you remove SYSTEM from the Sysvol's file system
> ACLs, the share works completely the same. Regardless if you do this
> on a Windows or on a Samba DC.
>
So, I give you a link to a Microsoft page that shows what accounts are
required for the profiles share and you choose to ignore it ????
Rowland
More information about the samba
mailing list