[Samba] Windows ACL clarification for Roaming Profiles share

Marc Muehlfeld mmuehlfeld at samba.org
Fri Feb 17 23:28:14 UTC 2017 

Am 17.02.2017 um 10:28 schrieb Rowland Penny via samba:
> So, I give you a link to a Microsoft page that shows what accounts are
> required for the profiles share and you choose to ignore it ????

Yes, because
1.) It might be necessary _locally_ on the Windows DC
     because some _local_ services (e. g. Virus scanners,
     etc) may access the files _locally_ _on the DC itself_.
     However if anything on the client (the OS or a user)
     would access the share using the SYSTEM privilege,
     then "full control" is surely not the permission
     you grant to the SYSTEM account to all files including
     subfolders. :-)
2.) This page justs list a bunch of accounts without
     explaining why it should be a requirement. Nor it
     says that it won't work without.
3.) If SYSTEM would be a requirement on the profiles
     or any other share for a Windows client, then
     shares using POSIX ACLs would not work at all.


My profile share hosted on my DC works perfectly without SYSTEM account 
here. I never added the account to the ACLs because it makes no sense 
(at least not on a Samba host). And the share works like expected, 
because nothing on the client access the share using the SYSTEM account, 
nor does Samba locally on the server.


If you still don't believe me, try it:
- Remove the SYSTEM account from the ACLs on your profiles share.
- Log in using a new domain user account that has a profile path set.
- Log out. The user's profile folder is uploaded to the share.
- Log in again.
- Create a file on the desktop
- Logout. You see the file is uploaded to the server.
If you want to extend this exercise:
- Log in using a local account, delete the local copy of
   the profile (System properties / User profile settings.
   Do not just delete the folder. This won't work since Vista)
- Log out
- Log in using the domain account you used before.
- You see the profile was downloaded again from the server,
   including the file you stored on the desktop.

Regards,
Marc

More information about the samba mailing list