[Samba] Fixing sysvol permissions

Mark Foley mfoley at ohprs.org
Thu Jun 14 20:21:03 UTC 2018

After applying the permissions as described below and restarting Samba, I'm still not able to
have a user access her redirected desktop. I get the Windows event 1096 GroupPolicy, Access
denied on


permissions on that file are:

-rwxrwx--- 1 3000000 users 3568 2015-09-09 00:50 Registry.pol*

Note that there are no other user permissions and no facls. The permissions I applied to sysvol
in the previous message do not seem to have taken effect here. Not sure why. If I examine the
Windows permission, EVERYONE is set to READ and it shows "This folder, subfolders and files".

facl on sysvol is:

# file: var/lib/samba/sysvol
# owner: root
# group: BUILTIN\134administrators

What is still wrong?


-----Original Message-----
Date: Thu, 14 Jun 2018 15:10:54 -0400
To: samba at lists.samba.org
Subject: [Samba] Fixing sysvol permissions

On Thu, 14 Jun 2018 09:39:46 +0200 L.P.H. van Belle wrote:

> Hi Mark,  
> See below. ;-) 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark 
> > Foley via samba
> > Verzonden: woensdag 13 juni 2018 22:50
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Admin UID changed with upgrade to 4.8.2
> > 


> > > But... What does getfacl say about these files/folders Or 
> > get my script: 
> > > 
> > https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> > heck-set-sysvol.sh 
> > > And see if there is something wrong here in you SID/UID mappins 
> > > The script does not apply settings by default it only check 
> > and creates a file with the acl.
> > > So you can review it. 
> > 
> > Results of your script (excellent tool, btw):
> Thanks for the nice comment :-) 
> > 
> > $ ./samba-check-set-sysvol.sh
> > Review the file : default-rights-sysvol.acl, these contains 
> > the defaults for sysvol.
> > The sysvol ACLS info.....
> > 
> > Please check your share rights for sysvol from within windows.
> > If these are incorrect, correct them and run this script again.
> > Set your sysvol SHARE permissions as followed.
> > Authenticated Users: FULL CONTROL
> > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > User/Group system is added compaired to a win2008R2 sysvol, 
> > you need this for some GPO
> > settings.
> > 
> > Set your sysvol FOLDER permissions as followed.
> > Authenticated Users: Read & Exec, Show folder content, Read
> > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > 
> > #####COMMENT#######################################
> > Louis - I made the following changes to sysvol from Windows 
> > logged in as the domain
> > administrator:
> > 
> > 'EVERYONE' was set to 'special', but in 'Advanced' nothing 
> > appeared to be set. I set this to
> After that "Advanced" tab, klik change owner, klik edit/change. 
> There you wil see what "Special" is.  

You are right.  I thought I did that, but must not have.  In the "Special" permissions for
EVERYONE I have: (Apply to Subfolders and files only) 'Traverse folder / execute file', 'List
folder /read data', 'Read attributes', 'Read extended attributes', 'Read Permissions'. 

I set these when I first installed the AD/DC with Samaba 4.1 based on the alexwyn link
which no longer seems to be up. I'll double-check those settings to make sure all are still

> > 'Authenticated Users' was not in the list at all. I added 
> > this and set to FULL CONTROL.
> > 
> > 'HPRS\Administrators' was set to 'special', 'Advanced' showed 
> > FULL CONTROL. I set this to FULL
> > CONTROL on the main/first dialog.
> > 
> > I did not find HPRS\SYSTEM. When I search for that it came up 
> > with only SYSTEM. I did nothing.
> Ok, you need to add SYSTEM, thats one of the most important ones. 
> Then this is already a bit changed in samba, great, i'll go review that 
> When im done with my work here.

Well, I'm not sure how to add that user. What is the UID/GID? Is this a user added by
provisioning in later (than 4.1) versions of Samba and that's why I don't have it?

> > Puzzlement: Your program output has "Set your sysvol SHARE 
> > permissions ..." and a second
> > section with, "Set your sysvol FOLDER permissions ...". When 
> > I right-click on SYSVOL >
> > Properities > Security, I only have one dialog for viewing 
> > and setting permissions. There is
> > nothing about SHARE permissions versus FOLDER permissions. 
> > Nor do I see any other tab related
> > to sharing. What do you mean by this?
> SHARE Permissions:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> See : Setting Share Permissions and ACLs
> Click Start, enter Computer Management, and start the application.
> Select Action / Connect to another computer.
> Enter the name of the Samba host and click OK to connect the console to the host.
> Open the System Tools / Shared Folders / Shares menu entry.

Interesting.  I've never seen that whole 'Computer Management, Connect to another computer'
thing before ... 

OK, Everyone is currently set to FULL CONTROL. I'll set that to READ.

No other users are set. I'll set as you describe below.  I note that your specification for
SYSTEM, below, is "(BUILTIN or NTDOM or (nothing) )" whereas your samba-check-set-sysvol.sh
program outputs "(BUILTIN or NTDOM)", and your Folder permissions below also omit the "or
nothing" qualifier.  If the "or nothing" bit applies to the folder permission too, then I do
have that user.  For now, I'll assume plain 'ole "SYSTEM" w/o domain prefix is correct for the
folder and go back and change that.  Let me know if I have to add a new domain SYSTEM user. 

> And review you sysvol, and set it to : 
> Authenticated Users: FULL CONTROL
> (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> Folder permissions: 
> Use explorer, browse to a folder, goto the security tab. 
> Set your sysvol FOLDER permissions as followed.
> Authenticated Users: Read & Exec, Show folder content, Read
> (BUILTIN or NTDOM)\Administrators: FULL CONTROL

These I did set yesterday after your previous message, except for SYSTEM. I've gone ahead and
set (nothing)\SYSTEM to FULL CONTROL. I'll remove if you tell me this is incorrect.

> > #####END-OF-COMMENT##################################
> > 
> > $ cat default-rights-sysvol.acl

To keep clutter down, I'll repost the facl output from your samba-check-set-sysvol.sh after

> > > You updated from 4.4 to 4.8, thats a big step. 
> > > I have summerices the smb.conf changes, i suggest review it 
> > carefully again. 
> > > http://downloads.van-belle.nl/samba4/Upgrade-info.txt
> > > Or 
> > > 
> > https://wiki.samba.org/index.php/Samba_Features_added/changed_
> > (by_release)
> > > The complete list. 
> > 
> > I will check out both of these documents.
> > 

> And i did read the Comment to for Rowland below, 
> On debian you need :
> libnss-winbind libpam-winbind to be installed. 
> I think you miss one of these. 

The UID issue and the sysvol permission issue are really two different things and I for one get
easily confused with conflated threads. I'm going to remove these sysvol/permission comments and
post with a difference topic. I'll leave these Rowland/UID related comments in this thread and
break the two up.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list