[Samba] Windows ACL clarification for Roaming Profiles share
Rowland Penny
rpenny at samba.org
Sat Feb 18 09:50:50 UTC 2017
On Sat, 18 Feb 2017 00:28:14 +0100
Marc Muehlfeld <mmuehlfeld at samba.org> wrote:
>
> Yes, because
> 1.) It might be necessary _locally_ on the Windows DC
> because some _local_ services (e. g. Virus scanners,
> etc) may access the files _locally_ _on the DC itself_.
> However if anything on the client (the OS or a user)
> would access the share using the SYSTEM privilege,
> then "full control" is surely not the permission
> you grant to the SYSTEM account to all files including
> subfolders. :-)
What you say has some validity, but people have been known to run a
virus scanner on Linux machines, just to scan windows files.
> 2.) This page justs list a bunch of accounts without
> explaining why it should be a requirement. Nor it
> says that it won't work without.
You could say the same about the Samba wiki page.
> 3.) If SYSTEM would be a requirement on the profiles
> or any other share for a Windows client, then
> shares using POSIX ACLs would not work at all.
I fail to see why they wouldn't
>
> If you still don't believe me, try it:
I believe it works for you without SYSTEM, but I thought that the Samba
AD DC was supposed to be compatible with a Windows DC and as such, it
should be set up in the same way.
Rowland
More information about the samba
mailing list