Web lists-archives.com

Re: [Samba] Windows ACL clarification for Roaming Profiles share




Am 17.02.2017 um 10:28 schrieb Rowland Penny via samba:
So, I give you a link to a Microsoft page that shows what accounts are
required for the profiles share and you choose to ignore it ????

Yes, because
1.) It might be necessary _locally_ on the Windows DC
    because some _local_ services (e. g. Virus scanners,
    etc) may access the files _locally_ _on the DC itself_.
    However if anything on the client (the OS or a user)
    would access the share using the SYSTEM privilege,
    then "full control" is surely not the permission
    you grant to the SYSTEM account to all files including
    subfolders. :-)
2.) This page justs list a bunch of accounts without
    explaining why it should be a requirement. Nor it
    says that it won't work without.
3.) If SYSTEM would be a requirement on the profiles
    or any other share for a Windows client, then
    shares using POSIX ACLs would not work at all.


My profile share hosted on my DC works perfectly without SYSTEM account here. I never added the account to the ACLs because it makes no sense (at least not on a Samba host). And the share works like expected, because nothing on the client access the share using the SYSTEM account, nor does Samba locally on the server.


If you still don't believe me, try it:
- Remove the SYSTEM account from the ACLs on your profiles share.
- Log in using a new domain user account that has a profile path set.
- Log out. The user's profile folder is uploaded to the share.
- Log in again.
- Create a file on the desktop
- Logout. You see the file is uploaded to the server.
If you want to extend this exercise:
- Log in using a local account, delete the local copy of
  the profile (System properties / User profile settings.
  Do not just delete the folder. This won't work since Vista)
- Log out
- Log in using the domain account you used before.
- You see the profile was downloaded again from the server,
  including the file you stored on the desktop.

Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba