[Samba] Windows ACL clarification for Roaming Profiles share

L.P.H. van Belle belle at bazuin.nl
Mon Feb 20 10:23:36 UTC 2017


Hai, see below. 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: maandag 20 februari 2017 10:41
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Windows ACL clarification for Roaming Profiles
> share
> 
> On Mon, 20 Feb 2017 09:08:56 +0100
> L.P.H. van Belle <belle at bazuin.nl> wrote:
> 
> 
> > Conclusion for me is.
> > Sure, i beleave all your saying and everything your saying works.
> > BUT
> > If you going to set more advanced GPO settings, it wil end up in
> > errors, Not working GPOs etc.
> >
> > Just my saying, said already to much here.
> 
> Not as far as I am concerned.
> 
> > Posted problems like this long ago already.
> 
> Yes, but have you reported a bug ?
There are multiple reports about this or related with this. 

Which i think are related bugs to missing/incorrect use of SYSTEM ( and LOCAL and NETWORK ) 
https://bugzilla.samba.org/show_bug.cgi?id=12164 
https://bugzilla.samba.org/show_bug.cgi?id=12410
https://bugzilla.samba.org/show_bug.cgi?id=12257
https://bugzilla.samba.org/show_bug.cgi?id=11677
https://bugzilla.samba.org/show_bug.cgi?id=3350 
https://bugzilla.samba.org/show_bug.cgi?id=12243 
a snap, there are more related to this problem. 
There are more, bit im always haveing a hard time finding them. :-( 

Its really not a small thing here, lots uses the 3 sids (S-1-5-18 -19 -20) 
These all work on the member servers ( tested 4.5.3 and 4.5.5 ) 
wbinfo -s S-1-5-18
NT AUTHORITY\SYSTEM 5
wbinfo -s S-1-5-19
NT AUTHORITY\Local Service 5
wbinfo -s S-1-5-20
NT AUTHORITY\Network Service 5
wbinfo -s S-1-5-21

but these all also DONT work on a DC. ( 4.5.3 tested ) 
All report.. 
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-18
Could not lookup sid S-1-5-19
Could not lookup sid S-1-5-20

If sort of "made a workaround" by abusing : 
acl_xattr:ignore system acls = yes 

which works for me, but its nice to get above fixed. 

> 
> >
> > For a correct windows 10 profiles share, you need the following.
> > https://technet.microsoft.com/en-us/library/jj649079(v=ws.11).aspx
> > which clearly shows systems with Full control.
> >
> 
> Which was what I was trying to get across, we English have a saying:
> 
> When in Rome, do as the Romans do.
> 
> Which could be re-written as:
> 
> When using something that emulates a Windows product, do as Windows
> expects.
> 
> Just because 'SYSTEM' does nothing on Linux, doesn't mean you
> shouldn't add its ACE to profiles.

Totaly agree. 

> 
> Rowland
> 
> 
Greetz, 

Louis




More information about the samba mailing list