Lenard Fudala
2017-Feb-15 22:47 UTC
[Samba] Windows ACL clarification for Roaming Profiles share
The following wiki pages have varying suggestions on what to use for Windows ACLs on a Samba share. https://wiki.samba.org/index.php/Implementing_roaming_profiles https://wiki.samba.org/index.php/User_Home_Folders https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs The different suggestions on the referenced wiki pages, without explanation of the choices, causes a lot of confusion. Most importantly, they reference each other without clarifying exactly what parts to use from the other pages. The goal here is Roaming Profiles and Folder Redirection, each with its own share. Samba 4.3.11 on Ubuntu 16.04.2 with Windows 7 clients for now, Windows 10 eventually. What I've managed to come up with for share permissions: Authenticated Users - Read - Change (can't create directory without) Domain Admins - Full control For the ACLs on the root folder of the share: CREATOR OWNER - Subfolders and files only - Full Control Domain Admins - This folder, subfolders, and files - Full Control Authenticated Users - This folder only - Traverse folder/execute file, List folder/read data, Create folder/append data The majority of the guides outside of the wiki suggest Windows wants to see SYSTEM in the ACL list with Full Control. So far, in isolated testing, my permissions work fine. Is there any need for this extra ACL that may not be obvious currently? -Lenard
Marc Muehlfeld
2017-Feb-16 06:30 UTC
[Samba] Windows ACL clarification for Roaming Profiles share
Hi Lenard, Am 15.02.2017 um 23:47 schrieb Lenard Fudala via samba:> The majority of the guides outside of the wiki suggest Windows wants to see > SYSTEM in the ACL list with Full Control. So far, in isolated testing, my > permissions work fine. Is there any need for this extra ACL that may not be > obvious currently? > -LenardOn Windows, the SYSTEM account is used by services on the local host (in your case, the local host is your Samba server). For example, virus scanners might use it to get access to all files. However, there is nothing on your Samba server that uses the SYSTEM account. Thus it makes no difference if you add it or not. Regards, Marc
Lenard Fudala
2017-Feb-16 14:36 UTC
[Samba] Windows ACL clarification for Roaming Profiles share
Thanks Marc. That's the assumption I was leaning towards, just couldn't find any validation. Much appreciated. -Lenard On Thu, Feb 16, 2017 at 12:30 AM, Marc Muehlfeld <mmuehlfeld at samba.org> wrote:> Hi Lenard, > > Am 15.02.2017 um 23:47 schrieb Lenard Fudala via samba: > > The majority of the guides outside of the wiki suggest Windows wants to > see > > SYSTEM in the ACL list with Full Control. So far, in isolated testing, my > > permissions work fine. Is there any need for this extra ACL that may not > be > > obvious currently? > > -Lenard > > > On Windows, the SYSTEM account is used by services on the local host (in > your case, the local host is your Samba server). For example, virus > scanners might use it to get access to all files. However, there is > nothing on your Samba server that uses the SYSTEM account. Thus it makes > no difference if you add it or not. > > Regards, > Marc > >
Rowland Penny
2017-Feb-16 14:47 UTC
[Samba] Windows ACL clarification for Roaming Profiles share
On Thu, 16 Feb 2017 07:30:03 +0100 Marc Muehlfeld via samba <samba at lists.samba.org> wrote:> > On Windows, the SYSTEM account is used by services on the local host > (in your case, the local host is your Samba server). For example, > virus scanners might use it to get access to all files. However, > there is nothing on your Samba server that uses the SYSTEM account. > Thus it makes no difference if you add it or not. >Marc, You might want to re-consider that statement, SYSTEM is used extensively in sysvol. Rowland
Apparently Analagous Threads
- Windows ACL clarification for Roaming Profiles share
- Windows ACL clarification for Roaming Profiles share
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Deploy software in fileserver folder