[Samba] Fixing sysvol permissions

Mark Foley mfoley at ohprs.org
Tue Jun 19 16:52:46 UTC 2018 

Given no responses on this question for a few days, I'm concluding that we're out of ideas on
this problem.  Let me propose a couple of ideas.  Apparently, the basic Windows FOLDER and
SHARE permissions are correct according to Louis' recommendations (see message below).  One
thing I've noticed that is a bit puzzling is the group ownership of these policy files:

-rwxrwxr-x+ 1 3000000 domusers 2240 2018-06-18 17:33:55 /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/User/Documents & Settings/fdeploy1.ini
-rwxrwx---+ 1 3000000 users 64 2018-06-18 17:34:22 /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/GPT.INI
-rwxrwx--- 1 3000000 users 59 2015-05-15 14:22:44 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/GPT.INI
-rwxrwxrwx 1 root root 199 2015-05-21 14:42:59 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/Startup/addadmins.bat
-rwxrwx--- 1 3000000 users 104 2015-05-15 14:22:16 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/scripts.ini
-rwxrwx--- 1 3000000 domusers 142 2016-01-19 17:04:23 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
-rwxrwx---+ 1 3000008 HPRS\domain admins 23 2016-01-23 16:03:46 /var/lib/samba/sysvol/hprs.local/policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI

They are variously owned by groups "domusers" (10000), "users" (100), root (only the one
shown), and "HPRS/domain admins" (3000008).  The vast majority of these files belong to group
'users' including the specific files that are giving me the 'Access denied' Windows event. 
'users' is one of the ubiquitous default groups created when Linux is installed.  I believe
it's also the default group when 'adduser' is run to add a user.  Almost all of these files
belonging to group 'users' have rwxrwx--- permissions (no extended attributes). 

Could this be a problem? Should these files belong to some other group? The users themselves
belong to 'domusers' (10000) which is the group assigned to all domain users.  Perhaps higher
level extended attributes are supposed to handle access, but I don't see how a user belonging
to group 'domusers' can read any of these files belonging to group 'users' (except possibly
that first one listed having o+rx and extended attributes).  Should I change all these group
'users' to group 'domusers'?

Thought 2: If I shouldn't do that, or that doesn't help should I try setting 'acl_xattr:ignore
system acls = yes'?

--Mark

-----Original Message-----
Date: Mon, 18 Jun 2018 12:34:12 -0400
To: samba at lists.samba.org
Subject: Re: [Samba] Fixing sysvol permissions
From: Mark Foley via samba <samba at lists.samba.org>

On Fri, 15 Jun 2018 12:32:52 +0200 L.P.H. van Belle wrote:
>
> > OK, Everyone is currently set to FULL CONTROL. I'll set that to READ.
>
> Ai, now... Nobody can write over the share, pc's wil complain. 
> Some GPO setting will stop working. 

But, when I ran your samba-check-set-sysvol.sh script it told me to set EVERYONE: READ. See
below:

> > $ ./samba-check-set-sysvol.sh
> > Review the file : default-rights-sysvol.acl, these contains 
> > the defaults for sysvol.
> > The sysvol ACLS info.....                                                                  
> > 
> > Please check your share rights for sysvol from within windows.
> > If these are incorrect, correct them and run this script again.
> > Set your sysvol SHARE permissions as followed.
> > EVERYONE: READ              <----------------------------------
> > Authenticated Users: FULL CONTROL
> > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> > User/Group system is added compaired to a win2008R2 sysvol, 
> > you need this for some GPO
> > settings.
> > 
> > Set your sysvol FOLDER permissions as followed.
> > Authenticated Users: Read & Exec, Show folder content, Read
> > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL

Perhaps I'm confusing Folder permissions and Share permissions.

> Look here, and setup like that. 
> https://support.microsoft.com/nl-nl/help/2838154/permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-th

Problem: On that link, step 2 "Check whether the Listobject permission is set for the
Authenticated Users group and whether the Authenticated Users group is missing from the
Delegation tab of the Group Policy Object."  When I edit 'Authenticated Users', I don't have
that "Default Domain Controllers Policy" dialog. Or if I do, that link doesn't tell me how to
get there.

Let me list everything I've got:

sysvol FOLDER Permissions:

CREATOR OWNER 
special
(Advanced) Subfolders and files only
Full Control - everything is checked)
(apply these permissions to objects and/or containers ... not checked)

CREATOR GROUP Subfolders and files only
special
(Advanced) Subfolders and files only
Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions
(apply these permissions to objects and/or containers ... not checked)

Authenticated Users
Read & Execute
List folder contents
Read
(Advanced) This folder, Subfolders and files
Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions
(apply these permissions to objects and/or containers ... not checked)

SYSTEM
Full control
(advanced) This folder, subfolders and files
full control - everything is checked
(apply these permissions to objects and/or containers ... not checked)

Administrators (HPRS\Administrators)
Full control
(advanced) This folder, subfolders and files
full control - everything is checked
(apply these permissions to objects and/or containers ... not checked)

sysvol SHARE Permissions:

EVERYONE: READ
Authenticated Users: FULL CONTROL
HPRS\Administrators: FULL CONTROL
SYSTEM, FULL CONTROL

Does this look correct? Is this what you have?

Nevertheless, when I try to log into a workstation as a domain user I still do not get that
user's desktop. In the Windows eventlog Windows Logs > System, I get Event 1906 error,
GroupPolicy:

Error Description: Access is denied.
GPOCName: LDAP://CN=User,cn={178C3418-E432-414A-9185-DCD1AB359A3B},cn=policies,cn=system,DC=hprs,DC=local
FilePath: \\hprs.local\SysVol\hprs.local\Policies\{178C3418-E432-414A-9185-DCD1AB359A3B}\User\registry.pol

This is driving me crazy!

--Mark

More information about the samba mailing list