[Samba] Windows ACL clarification for Roaming Profiles share

Rowland Penny rpenny at samba.org
Sat Feb 18 09:50:50 UTC 2017

On Sat, 18 Feb 2017 00:28:14 +0100
Marc Muehlfeld <mmuehlfeld at samba.org> wrote:

> Yes, because
> 1.) It might be necessary _locally_ on the Windows DC
>      because some _local_ services (e. g. Virus scanners,
>      etc) may access the files _locally_ _on the DC itself_.
>      However if anything on the client (the OS or a user)
>      would access the share using the SYSTEM privilege,
>      then "full control" is surely not the permission
>      you grant to the SYSTEM account to all files including
>      subfolders. :-)

What you say has some validity, but people have been known to run a
virus scanner on Linux machines, just to scan windows files.

> 2.) This page justs list a bunch of accounts without
>      explaining why it should be a requirement. Nor it
>      says that it won't work without.

You could say the same about the Samba wiki page.

> 3.) If SYSTEM would be a requirement on the profiles
>      or any other share for a Windows client, then
>      shares using POSIX ACLs would not work at all.

I fail to see why they wouldn't

> If you still don't believe me, try it:

I believe it works for you without SYSTEM, but I thought that the Samba
AD DC was supposed to be compatible with a Windows DC and as such, it
should be set up in the same way.


More information about the samba mailing list