samba - Feb 2017 - Windows ACL clarification for Roaming Profiles share

On Thu, 16 Feb 2017 17:13:25 +0100
Marc Muehlfeld <mmuehlfeld at samba.org> wrote:

> 
> What uses the SYSTEM principal on the Sysvol share?
Not sure if anything actually uses SYSTEM on Unix, probably not.
However, SYSTEM is used in sysvol and Windows expects it.
> 
> Is it really used (by what?) or do we just have this princial in the
> ACLs to be consistent with a Windows DC?
The pages the OP referred to, including the profiles page, don't seem
to agree with what the windows machines expect, see here for profiles:

https://technet.microsoft.com/en-us/library/jj649079%28v=ws.11%29.aspx

Rowland

Am 16.02.2017 um 17:27 schrieb Rowland Penny via samba:
>> What uses the SYSTEM principal on the Sysvol share?
> 
> Not sure if anything actually uses SYSTEM on Unix, probably not.
It's a Samba DC built-in account, thus I'm sure nothing outside Samba
uses it. Neither does Samba. Samba uses root privileges to access files,
if necessary.


> However, SYSTEM is used in sysvol and Windows expects it.
Clients, who are accessing the share, do not require it to be set on the
local filesystem the share uses on the server, because SYSTEM is a local
principal on each host (in this case, the DC that hosts the sysvol share).

The sysvol share works also if you remove the SYSTEM principal. The
principal is used, as everywhere else, to enable e. g. local services
that use the SYSTEM account, to access the content on the local file
system. That's why it is usually added to file system ACLs everywhere on
Windows, but it's nothing Windows expects nor requires.

For this reason, if you remove SYSTEM from the Sysvol's file system
ACLs, the share works completely the same. Regardless if you do this on
a Windows or on a Samba DC.


Regards,
Marc

On Fri, 17 Feb 2017 07:58:58 +0100
Marc Muehlfeld <mmuehlfeld at samba.org> wrote:
> Am 16.02.2017 um 17:27 schrieb Rowland Penny via samba:
> 
> > However, SYSTEM is used in sysvol and Windows expects it.
> 
> Clients, who are accessing the share, do not require it to be set on
> the local filesystem the share uses on the server, because SYSTEM is
> a local principal on each host (in this case, the DC that hosts the
> sysvol share).
> 
> The sysvol share works also if you remove the SYSTEM principal. The
> principal is used, as everywhere else, to enable e. g. local services
> that use the SYSTEM account, to access the content on the local file
> system. That's why it is usually added to file system ACLs everywhere
> on Windows, but it's nothing Windows expects nor requires.
> 
> For this reason, if you remove SYSTEM from the Sysvol's file system
> ACLs, the share works completely the same. Regardless if you do this
> on a Windows or on a Samba DC.
> 
So, I give you a link to a Microsoft page that shows what accounts are
required for the profiles share and you choose to ignore it ????

Rowland