> Definitely that is where your login scripts and so forth are or the > general > place that you are suppose to put them. I've got to go do some work over > at > a place I have a Samba4 PDC setup tomorrow. > > Did you mess with the permissions or don't recall? Was it like that when > you installed? > > I wouldn't allow Everyone to have access. Go the Authenticated Users > route > or maybe Domain Users with read/execute permissions. I'll check all the > different users on it tomorrow for ya and drop back a line to this thread > though. There might be a phantom User that only Samba knows about that is > listed there that might be specific to your install. > > It would be nice if someone chimed in here, have been wondering about > that... ;) > > Chris > Hi Chris: It's a recent test installation using Samba4 alpha 17 tar. I have done nothing with the permissions. I haven't even touched smb.conf. I was browsing the content of sysvol in my Samba4 server with a domain user I created and then I tried deleting a file and I could do it, tried with the whole content of sysvol and I could delete all. Then I reinstalled samba and tried again with a new domain user, and could do it again.
The permission on a Windows 2003 server are as shown below and you're right only authenticated users should have read and execute permissions. But I tried with a windows client in a virtual pc against a real windows 2003 server and surprisingly I could list the content of sysvol in spite of this virtual pc not being a member of the windows 2003 server domain. That's why I suggested that may be it would be ok to allow everyone read and execute permissions. > On Wed, Sep 28, 2011 at 1:55 PM, <fe...@epepm.cupet.cu> wrote: > >> > On 28/09/2011 04:59, fe...@epepm.cupet.cu wrote: >> >>>> On 27/09/2011 13:07, fe...@epepm.cupet.cu wrote: >> >>>>> Hello. >> >>>>> I noticed that any domain user can delete the content of the >> shared >> >>>>> folder >> >>>>> sysvol in the domain controller from a windows client. >> >>>>> >> >>>>> How can I avoid that? >> >>>>> >> >>>>> Greetings, >> >>>>> Felix >> >>>>> >> >>>> What's the default windows behavior with this ? >> >>>> >> >>>> Matthieu. >> >>>> >> >>> Windows users Windows permissions >> >>> ------------------------------------------------- >> >>> Domain Admins-----------> Full Access >> >>> Authenticated Users------> Read& Execute, List folder contents, >> Read >> >>> CREATOR OWNER-----------> Special permissions (Maybe we don't need >> >>> this) >> >>> Server Operators--------> Read& Execute, List folder contents, >> Read >> >>> SYSTEM------------------> Full Access >> >>> >> >> I think that what it is needed here is: >> >> Domain Admins-------------> Full Access >> >> and everybody else--------> Read& Execute, List folder contents, >> Read >> >> >> >> I think that GPOs and some scripts are delivered to windows clients >> >> through sysvol, that's why I don't want any of my users to be able to >> >> delete the sysvol content. >> >> >> >> What should I do to accomplish that goal? >> > In theory we should have the ACLs ok, I have to check this things but >> it >> > won't be before next week I'm at IOLAB with microsoft this week >> focusing >> > on FRS replication. >> > >> > >> > Sorry. >> > >> > Matthieu. >> > >> I understand. I'll be waiting for an answer. >> Thanks. >> >> Felix. >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba