Web lists-archives.com

Re: [Samba] Windows ACL clarification for Roaming Profiles share




Am 18.02.2017 um 10:50 schrieb Rowland Penny via samba:
Yes, because
1.) It might be necessary _locally_ on the Windows DC
     because some _local_ services (e. g. Virus scanners,
     etc) may access the files _locally_ _on the DC itself_.
     However if anything on the client (the OS or a user)
     would access the share using the SYSTEM privilege,
     then "full control" is surely not the permission
     you grant to the SYSTEM account to all files including
     subfolders. :-)

What you say has some validity, but people have been known to run a
virus scanner on Linux machines, just to scan windows files.

The virus scanner can use _any_ account on the local machine. If it must access all files, start the job as "root". Or you create a new account that is part of the ACLs and use this one.

I would avoid using a Samba internal account for that. If Samba is down, NSS not configured correctly, etc. the job would fail.

However, and this is the main reason, you can't use the SYSTEM account in the OS. Have you tried to "su" to this account? Maybe it's possible with some hack after you manually edit the database and assigned a UID, etc., but this account appears nowhere in the user account management, like on Windows.




2.) This page justs list a bunch of accounts without
     explaining why it should be a requirement. Nor it
     says that it won't work without.

You could say the same about the Samba wiki page.

Yes I know, but I haven't rewritten the Profiles page yet.

When I rewrote the "User Home Folder" page, I omitted SYSTEM in the list of Windows ACLs (and of course it was never part of the POSIX ACLs in this guide). However, I saw no reason to explain things that I don't tell the user to set and what not necessary. If you follow the guide, you get everything you need for a fully working share.




3.) If SYSTEM would be a requirement on the profiles
     or any other share for a Windows client, then
     shares using POSIX ACLs would not work at all.

I fail to see why they wouldn't

If you argue that the SYSTEM account must exist in the ACLs of a profile share's file system, then the following shared folder would fail, because only root and "Domain Users" are part of the ACLs:

$ ls -la /srv/samba/profiles -d
drwxr-s--- 21 root "Domain Users" 4096 15. Feb 19:10 /srv/samba/profiles

However, it works.





If you still don't believe me, try it:

I believe it works for you without SYSTEM, but I thought that the Samba
AD DC was supposed to be compatible with a Windows DC and as such, it
should be set up in the same way.

That's why it is part of the Sysvol share's file system ACLs. To be consistent. However, this is only to be _consistent_. It has nothing to do with being _compatible in this case.



Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba