[Samba] Windows ACL clarification for Roaming Profiles share

Marc Muehlfeld mmuehlfeld at samba.org
Sat Feb 18 13:53:34 UTC 2017

Am 18.02.2017 um 12:27 schrieb Rowland Penny via samba:
> You can 'map' SYSTEM on a domain member, couldn't seem to get it to
> work on a DC, though I didn't try hard ;-)

But mapping is applied when a user connects to a resource. Then the 
connecting Samba account is mapped to a local unix account and the file 
system is accessed using the Unix account's permissions. It does not 
work the other way around. You can't map the "local" (built-in) SYSTEM 
to a local/domain user and then "su - SYSTEM".

>> When I rewrote the "User Home Folder" page, I omitted SYSTEM in the
>> list of Windows ACLs (and of course it was never part of the POSIX
>> ACLs in this guide). However, I saw no reason to explain things that
>> I don't tell the user to set and what not necessary. If you follow
>> the guide, you get everything you need for a fully working share.
> I think 'SYSTEM' should be mentioned, if only to say why you don't need
> it.

I can write a short page describing what the SYSTEM account is used for 
on Windows and why it does not apply to Samba on Unix. And we can link 
it from the pages talking about setting Windows ACLs.


More information about the samba mailing list