similar to: Security descriptors options of Group Policies

On Thu, 2 May 2024 12:07:13 +0200 Jakob Curdes via samba <samba at lists.samba.org> wrote: > Hello all, to return to the original topic: > > My original problem was that I could not edit GP objects with the GP > Editor, even as Domain admin. I always got "access denied". A > sysvolcheck returned no errors and the Windows "Security" tab for the >

Hello all, to return to the original topic: My original problem was that I could not edit GP objects with the GP Editor, even as Domain admin. I always got "access denied". A sysvolcheck returned no errors and the Windows "Security" tab for the object in question on the sysvol share looked correct. I now found out that the group id of the sysvol folder (and everything

Hai,   Here you go my output of the R2008R2. (64bit)   1) original GPO from the install ( the domain controller policy ) Path   : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9} Owner  : BUILTIN\Administrators Group  : NT AUTHORITY\SYSTEM Access : CREATOR OWNER Allow  268435456          NT AUTHORITY\Authenticated Users

Hi folks, I''ve got most everything done for the pure Ruby version of win32-file. The last thing left (since I''ll be moving the IO methods to a different package eventually) is the file security stuff. Here''s what I''ve got so far for the get_permissions method. However, I''m stuck at GetAce(). If someone could help me finish up this method, I

On 6/22/2017 9:41 AM, Anantha Raghava via samba wrote: > Hi, > > No solutions to get out of this? > Not sure exactly what your issue is but based on your error Samba is reporting the following on that particular Policy; * Lost Allow Object and Container inheritance on each ACE. * Create Owner missing ACE and you have Built in Administrators with an ACE * You have the

On 1/31/24 11:19, Rowland Penny via samba wrote: > When I logged into Windows and connected to a share that has > 'acl_xattr:ignore system acls = yes' set and right clicked on its icon > in Explorer and selected 'Properties', I found that 'EVERYONE' was > listed. I removed 'EVERYONE', clicked 'Apply' then 'OK', which > completed

On Wed, 31 Jan 2024 10:09:53 +0100 Ralph Boehme via samba <samba at lists.samba.org> wrote: > On 1/31/24 09:50, Peter Milesson via samba wrote: > > The crucial problem here is, that Everyone (yes, really everyone) > > can write to the root share. > > why don't you just change it? That's how it's supposed to work. > > -slow > It might be

On Wed, 31 Jan 2024 11:53:44 +0100 Ralph Boehme <slow at samba.org> wrote: > On 1/31/24 11:19, Rowland Penny via samba wrote: > > When I logged into Windows and connected to a share that has > > 'acl_xattr:ignore system acls = yes' set and right clicked on its > > icon in Explorer and selected 'Properties', I found that 'EVERYONE' > > was

On 1/31/24 09:50, Peter Milesson via samba wrote: > The crucial problem here is, that Everyone (yes, really everyone) can > write to the root share. why don't you just change it? That's how it's supposed to work. -slow -- SerNet Samba Team Lead https://samba.plus/ Samba Team Member https://samba.org/ SAMBA+ packages https://samba.plus/ SerNet

Hi, We have been consistently having issues with GPO and they are not consistent. We are using version 4.6.3 with BIND DNS Backend. As suggested in some of our previous communications, when we run the samba-tool ntacl sysvolcheck it results in the error as detailed below. [root at dc1 ~]# samba-tool ntacl sysvolcheck lp_load_ex: refreshing parameters Initialising global parameters rlimit_max:

I am getting a permission denied when trying to ls as a domain user a samba mount with windows ACLs (sigh I thought I had this figured out).? I tried to include self descriptive server names and include them in the info below (fs1: file server, nc: addc, u2gui: ubuntu desktop) CARLSON\peter at u2gui:~$ ls -l /mnt ls: cannot access '/mnt/test': Permission denied total 0

I have a Centos 3 server running Samba 3.0.28. It's a member of an AD domain on a Windows Server 2003 R2 Standard x64 SP2 box. From the W2K3 server I can see the samba share I created. Using the Security tab in the Windows Explorer file properties dialog I can add and remove users and change their permissions. However, in the Permissions tab of the Advanced Security Settings dialog,

Hello, im trying to setup a share using windows acls. I followed the step ins https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs but hanging at "Adding a Share" # mkdir -p /srv/samba/Demo/ # chown root:"Domain Admins" /srv/samba/Demo/ *--> chown: ungültige Gruppe: »root:Domain Admins“* # net rpc rights list privileges SeDiskOperatorPrivilege -U

Well, we are getting somewere...;) >It is probably 'greyed' out because no Windows tools use it or will add it. You will probably need to use Unix tools (ldb or ldap) to remove>them, but you can if you so wish ignore them. What you should never do is to rely on them being there, because they may or may not be there.Ok, I'll let it be there> You need to remove the gidNumber

On Tue, 7 Mar 2017 10:26:03 -0800 Kris Lou via samba <samba at lists.samba.org> wrote: > Hang on, can you explain this a little further? I thought that Domain > Admins was issued gidNumber 512 by default. In addition, sysvolreset > is not recommended to fix potential SysVol replication problems with > GPO perms? > No Domain Admins doesn't get gidNumber 512 by default,

Thank you very much for clarifying the ID mapping "magic";) > You do not need 'posixgroup', it is an auxiliary objectclass of group, you can add any of the rfc2307 attributes without it. Well, is there any option to remove it? Because "posixgroup" is on every group that was migrated from Samba 3. And I cannot edit this attribute in ADUC (delete button is grayed).

Hi, I have been having problems with GPOs, sysvol, etc. for some time now, and have found a workaround but I wondered if any of the samba devs were interested in investigating this. Basically, the problems manifest themselves as access errors, along the lines of unable to read files, error messages such as 'The data area passed to a system call is too small' and so on - which means that

On Wed, 2024-05-22 at 21:05 -0700, Jeremy Allison wrote: > On Thu, May 23, 2024 at 09:42:53AM +1200, Andrew Bartlett via samba > wrote: > > After 23 years answering questions here, I figure it might be time > > for > > me to ask one. > > > > As mentioned here: > > https://lists.samba.org/archive/samba-technical/2024-May/138969.html > > I > >

On Thu, May 23, 2024 at 09:42:53AM +1200, Andrew Bartlett via samba wrote: >After 23 years answering questions here, I figure it might be time for >me to ask one. > >As mentioned here: >https://lists.samba.org/archive/samba-technical/2024-May/138969.html I >am working with a client to improve a Go SMB client library. > >They want to manipulate ACLs on SMB, which is a very

> root at localhost:~# getfacl /home/samba/users/ > getfacl: Removing leading '/' from absolute path names > # file: home/samba/users/ > # owner: root > # group: root > user::rwx > group::rwx > other::rwx > root at localhost:~# samba-tool ntacl get /home/samba/users --as-sddl >