[Samba] Windows ACL clarification for Roaming Profiles share
Rowland Penny
rpenny at samba.org
Sat Feb 18 11:27:13 UTC 2017
On Sat, 18 Feb 2017 12:08:01 +0100
Marc Muehlfeld <mmuehlfeld at samba.org> wrote:
> The virus scanner can use _any_ account on the local machine. If it
> must access all files, start the job as "root". Or you create a new
> account that is part of the ACLs and use this one.
>
> I would avoid using a Samba internal account for that. If Samba is
> down, NSS not configured correctly, etc. the job would fail.
>
> However, and this is the main reason, you can't use the SYSTEM
> account in the OS. Have you tried to "su" to this account? Maybe it's
> possible with some hack after you manually edit the database and
> assigned a UID, etc., but this account appears nowhere in the user
> account management, like on Windows.
You can 'map' SYSTEM on a domain member, couldn't seem to get it to
work on a DC, though I didn't try hard ;-)
>
>
>
>
> >> 2.) This page justs list a bunch of accounts without
> >> explaining why it should be a requirement. Nor it
> >> says that it won't work without.
> >
> > You could say the same about the Samba wiki page.
>
> Yes I know, but I haven't rewritten the Profiles page yet.
>
> When I rewrote the "User Home Folder" page, I omitted SYSTEM in the
> list of Windows ACLs (and of course it was never part of the POSIX
> ACLs in this guide). However, I saw no reason to explain things that
> I don't tell the user to set and what not necessary. If you follow
> the guide, you get everything you need for a fully working share.
I think 'SYSTEM' should be mentioned, if only to say why you don't need
it.
>
> If you argue that the SYSTEM account must exist in the ACLs of a
> profile share's file system, then the following shared folder would
> fail, because only root and "Domain Users" are part of the ACLs:
>
> $ ls -la /srv/samba/profiles -d
> drwxr-s--- 21 root "Domain Users" 4096 15. Feb
> 19:10 /srv/samba/profiles
>
It appears you don't have any ACLs set there, just Unix permissions, I
have:
ls -lad /home/SAMDOM/profiles/
drwxrwx--T+ 2 root root 4096 Nov 28 12:12 /home/SAMDOM/profiles/
> That's why it is part of the Sysvol share's file system ACLs. To be
> consistent. However, this is only to be _consistent_. It has nothing
> to do with being _compatible in this case.
Not going to argue over a word, but we should be consistent about being
consistent ;-)
Rowland
More information about the samba
mailing list