[Samba] Fixing sysvol permissions
Rowland Penny
rpenny at samba.org
Tue Jun 19 17:29:58 UTC 2018
On Tue, 19 Jun 2018 12:52:46 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> Given no responses on this question for a few days, I'm concluding
> that we're out of ideas on this problem. Let me propose a couple of
> ideas. Apparently, the basic Windows FOLDER and SHARE permissions
> are correct according to Louis' recommendations (see message below).
> One thing I've noticed that is a bit puzzling is the group ownership
> of these policy files:
>
> -rwxrwxr-x+ 1 3000000 domusers 2240 2018-06-18
> 17:33:55 /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/User/Documents
> & Settings/fdeploy1.ini -rwxrwx---+ 1 3000000 users 64 2018-06-18
> 17:34:22 /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/GPT.INI
> -rwxrwx--- 1 3000000 users 59 2015-05-15
> 14:22:44 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/GPT.INI
> -rwxrwxrwx 1 root root 199 2015-05-21
> 14:42:59 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/Startup/addadmins.bat
> -rwxrwx--- 1 3000000 users 104 2015-05-15
> 14:22:16 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/scripts.ini
> -rwxrwx--- 1 3000000 domusers 142 2016-01-19
> 17:04:23 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Microsoft/Windows
> NT/SecEdit/GptTmpl.inf -rwxrwx---+ 1 3000008 HPRS\domain admins 23
> 2016-01-23
> 16:03:46 /var/lib/samba/sysvol/hprs.local/policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
>
> They are variously owned by groups "domusers" (10000),
Where did 'domusers' come from ?
By default all users are members of 'Domain Users' and this is the
group you should have given '10000' to.
root at dc4:~# getent passwd rowland
SAMDOM\rowland:*:10000:10000::/home/rowland:/bin/bash
root at dc4:~# getent group 10000
SAMDOM\domain users:x:10000:
> "users" (100),
This is from idmap.ldb where 'Domain Users' is mapped to the Unix group
'users' (ID 100) if 'Domain Users' isn't given a gidNumber.
> root (only the one shown), and "HPRS/domain admins" (3000008). The
> vast majority of these files belong to group 'users' including the
> specific files that are giving me the 'Access denied' Windows event.
Hmm, I wonder if this because Windows does not know who the Unix group
'users' is ?
> 'users' is one of the ubiquitous default groups created when Linux is
> installed.
As I said above, 'users' is a Unix group.
>I believe it's also the default group when 'adduser' is
> run to add a user.
No, the default is to create a usergroup with the same name as the user.
> Almost all of these files belonging to group
> 'users' have rwxrwx--- permissions (no extended attributes).
The group 'users' has no meaning to Windows, it is a Unix group that
appears only on a Samba AD DC, it is better to use 'Domain Users'
instead, especially in Sysvol.
>
> Could this be a problem? Should these files belong to some other
> group? The users themselves belong to 'domusers' (10000) which is the
> group assigned to all domain users.
Again I ask why ? there is no need to create such a group in Samba AD,
just give 'Domain Users' a gidNumber and use this instead.
> Perhaps higher level extended
> attributes are supposed to handle access, but I don't see how a user
> belonging to group 'domusers' can read any of these files belonging
> to group 'users' (except possibly that first one listed having o+rx
> and extended attributes). Should I change all these group 'users' to
> group 'domusers'?
No, you should change 'users' and 'domusers' to 'Domain Users' ;-)
>
> Thought 2: If I shouldn't do that, or that doesn't help should I try
> setting 'acl_xattr:ignore system acls = yes'?
Only if you have no Unix clients.
Rowland
More information about the samba
mailing list