[Samba] Fixing sysvol permissions

Rowland Penny rpenny at samba.org
Tue Jun 19 17:29:58 UTC 2018


On Tue, 19 Jun 2018 12:52:46 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> Given no responses on this question for a few days, I'm concluding
> that we're out of ideas on this problem.  Let me propose a couple of
> ideas.  Apparently, the basic Windows FOLDER and SHARE permissions
> are correct according to Louis' recommendations (see message below).
> One thing I've noticed that is a bit puzzling is the group ownership
> of these policy files:
> 
> -rwxrwxr-x+ 1 3000000 domusers 2240 2018-06-18
> 17:33:55 /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/User/Documents
> & Settings/fdeploy1.ini -rwxrwx---+ 1 3000000 users 64 2018-06-18
> 17:34:22 /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/GPT.INI
> -rwxrwx--- 1 3000000 users 59 2015-05-15
> 14:22:44 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/GPT.INI
> -rwxrwxrwx 1 root root 199 2015-05-21
> 14:42:59 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/Startup/addadmins.bat
> -rwxrwx--- 1 3000000 users 104 2015-05-15
> 14:22:16 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Scripts/scripts.ini
> -rwxrwx--- 1 3000000 domusers 142 2016-01-19
> 17:04:23 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/Machine/Microsoft/Windows
> NT/SecEdit/GptTmpl.inf -rwxrwx---+ 1 3000008 HPRS\domain admins 23
> 2016-01-23
> 16:03:46 /var/lib/samba/sysvol/hprs.local/policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
> 
> They are variously owned by groups "domusers" (10000),

Where did 'domusers' come from ?
By default all users are members of 'Domain Users' and this is the
group you should have given '10000' to.

root at dc4:~# getent passwd rowland
SAMDOM\rowland:*:10000:10000::/home/rowland:/bin/bash
root at dc4:~# getent group 10000
SAMDOM\domain users:x:10000:

> "users" (100),

This is from idmap.ldb where 'Domain Users' is mapped to the Unix group
'users' (ID 100) if 'Domain Users' isn't given a gidNumber.

> root (only the one shown), and "HPRS/domain admins" (3000008).  The
> vast majority of these files belong to group 'users' including the
> specific files that are giving me the 'Access denied' Windows event.

Hmm, I wonder if this because Windows does not know who the Unix group
'users' is ?

> 'users' is one of the ubiquitous default groups created when Linux is
> installed.

As I said above, 'users' is a Unix group.  

>I believe it's also the default group when 'adduser' is
> run to add a user.

No, the default is to create a usergroup with the same name as the user.

>  Almost all of these files belonging to group
> 'users' have rwxrwx--- permissions (no extended attributes). 

The group 'users' has no meaning to Windows, it is a Unix group that
appears only on a Samba AD DC, it is better to use 'Domain Users'
instead, especially in Sysvol.

> 
> Could this be a problem? Should these files belong to some other
> group? The users themselves belong to 'domusers' (10000) which is the
> group assigned to all domain users.

Again I ask why ? there is no need to create such a group in Samba AD,
just give 'Domain Users' a gidNumber and use this instead.

>  Perhaps higher level extended
> attributes are supposed to handle access, but I don't see how a user
> belonging to group 'domusers' can read any of these files belonging
> to group 'users' (except possibly that first one listed having o+rx
> and extended attributes).  Should I change all these group 'users' to
> group 'domusers'?

No, you should change 'users' and 'domusers' to 'Domain Users' ;-)
 
> 
> Thought 2: If I shouldn't do that, or that doesn't help should I try
> setting 'acl_xattr:ignore system acls = yes'?

Only if you have no Unix clients.

Rowland



More information about the samba mailing list