[Samba] Windows ACL clarification for Roaming Profiles share
L.P.H. van Belle
belle at bazuin.nl
Mon Feb 20 10:23:36 UTC 2017
Hai, see below.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via
> Verzonden: maandag 20 februari 2017 10:41
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Windows ACL clarification for Roaming Profiles
> On Mon, 20 Feb 2017 09:08:56 +0100
> L.P.H. van Belle <belle at bazuin.nl> wrote:
> > Conclusion for me is.
> > Sure, i beleave all your saying and everything your saying works.
> > BUT
> > If you going to set more advanced GPO settings, it wil end up in
> > errors, Not working GPOs etc.
> > Just my saying, said already to much here.
> Not as far as I am concerned.
> > Posted problems like this long ago already.
> Yes, but have you reported a bug ?
There are multiple reports about this or related with this.
Which i think are related bugs to missing/incorrect use of SYSTEM ( and LOCAL and NETWORK )
a snap, there are more related to this problem.
There are more, bit im always haveing a hard time finding them. :-(
Its really not a small thing here, lots uses the 3 sids (S-1-5-18 -19 -20)
These all work on the member servers ( tested 4.5.3 and 4.5.5 )
wbinfo -s S-1-5-18
NT AUTHORITY\SYSTEM 5
wbinfo -s S-1-5-19
NT AUTHORITY\Local Service 5
wbinfo -s S-1-5-20
NT AUTHORITY\Network Service 5
wbinfo -s S-1-5-21
but these all also DONT work on a DC. ( 4.5.3 tested )
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-18
Could not lookup sid S-1-5-19
Could not lookup sid S-1-5-20
If sort of "made a workaround" by abusing :
acl_xattr:ignore system acls = yes
which works for me, but its nice to get above fixed.
> > For a correct windows 10 profiles share, you need the following.
> > https://technet.microsoft.com/en-us/library/jj649079(v=ws.11).aspx
> > which clearly shows systems with Full control.
> Which was what I was trying to get across, we English have a saying:
> When in Rome, do as the Romans do.
> Which could be re-written as:
> When using something that emulates a Windows product, do as Windows
> Just because 'SYSTEM' does nothing on Linux, doesn't mean you
> shouldn't add its ACE to profiles.
More information about the samba