Rowland Penny
2017-Feb-17 09:28 UTC
[Samba] Windows ACL clarification for Roaming Profiles share
On Fri, 17 Feb 2017 07:58:58 +0100 Marc Muehlfeld <mmuehlfeld at samba.org> wrote:> Am 16.02.2017 um 17:27 schrieb Rowland Penny via samba: > > > However, SYSTEM is used in sysvol and Windows expects it. > > Clients, who are accessing the share, do not require it to be set on > the local filesystem the share uses on the server, because SYSTEM is > a local principal on each host (in this case, the DC that hosts the > sysvol share). > > The sysvol share works also if you remove the SYSTEM principal. The > principal is used, as everywhere else, to enable e. g. local services > that use the SYSTEM account, to access the content on the local file > system. That's why it is usually added to file system ACLs everywhere > on Windows, but it's nothing Windows expects nor requires. > > For this reason, if you remove SYSTEM from the Sysvol's file system > ACLs, the share works completely the same. Regardless if you do this > on a Windows or on a Samba DC. >So, I give you a link to a Microsoft page that shows what accounts are required for the profiles share and you choose to ignore it ???? Rowland
Marc Muehlfeld
2017-Feb-17 23:28 UTC
[Samba] Windows ACL clarification for Roaming Profiles share
Am 17.02.2017 um 10:28 schrieb Rowland Penny via samba:> So, I give you a link to a Microsoft page that shows what accounts are > required for the profiles share and you choose to ignore it ????Yes, because 1.) It might be necessary _locally_ on the Windows DC because some _local_ services (e. g. Virus scanners, etc) may access the files _locally_ _on the DC itself_. However if anything on the client (the OS or a user) would access the share using the SYSTEM privilege, then "full control" is surely not the permission you grant to the SYSTEM account to all files including subfolders. :-) 2.) This page justs list a bunch of accounts without explaining why it should be a requirement. Nor it says that it won't work without. 3.) If SYSTEM would be a requirement on the profiles or any other share for a Windows client, then shares using POSIX ACLs would not work at all. My profile share hosted on my DC works perfectly without SYSTEM account here. I never added the account to the ACLs because it makes no sense (at least not on a Samba host). And the share works like expected, because nothing on the client access the share using the SYSTEM account, nor does Samba locally on the server. If you still don't believe me, try it: - Remove the SYSTEM account from the ACLs on your profiles share. - Log in using a new domain user account that has a profile path set. - Log out. The user's profile folder is uploaded to the share. - Log in again. - Create a file on the desktop - Logout. You see the file is uploaded to the server. If you want to extend this exercise: - Log in using a local account, delete the local copy of the profile (System properties / User profile settings. Do not just delete the folder. This won't work since Vista) - Log out - Log in using the domain account you used before. - You see the profile was downloaded again from the server, including the file you stored on the desktop. Regards, Marc
Rowland Penny
2017-Feb-18 09:50 UTC
[Samba] Windows ACL clarification for Roaming Profiles share
On Sat, 18 Feb 2017 00:28:14 +0100 Marc Muehlfeld <mmuehlfeld at samba.org> wrote:> > Yes, because > 1.) It might be necessary _locally_ on the Windows DC > because some _local_ services (e. g. Virus scanners, > etc) may access the files _locally_ _on the DC itself_. > However if anything on the client (the OS or a user) > would access the share using the SYSTEM privilege, > then "full control" is surely not the permission > you grant to the SYSTEM account to all files including > subfolders. :-)What you say has some validity, but people have been known to run a virus scanner on Linux machines, just to scan windows files.> 2.) This page justs list a bunch of accounts without > explaining why it should be a requirement. Nor it > says that it won't work without.You could say the same about the Samba wiki page.> 3.) If SYSTEM would be a requirement on the profiles > or any other share for a Windows client, then > shares using POSIX ACLs would not work at all.I fail to see why they wouldn't> > If you still don't believe me, try it:I believe it works for you without SYSTEM, but I thought that the Samba AD DC was supposed to be compatible with a Windows DC and as such, it should be set up in the same way. Rowland
Possibly Parallel Threads
- Windows ACL clarification for Roaming Profiles share
- Windows ACL clarification for Roaming Profiles share
- Windows ACL clarification for Roaming Profiles share
- Windows ACL clarification for Roaming Profiles share
- Windows ACL clarification for Roaming Profiles share