On 09/10/12 21:18, Ludek Finstrle wrote:
Hello steve,
Tue, Oct 09, 2012 at 05:54:48PM +0200, steve napsal(a):
On 09/10/12 17:36, steve wrote:
On 08/10/12 18:23, steve wrote:
On 08/10/12 17:40, m...@matws.net wrote:
samba-tool ntacl sysvolreset --use-s3fs
Now no user can enter sysvol:
getfacl sysvol/
# file: sysvol/
# owner: root
# group: wheel
# flags: s--
user::rwx
user:root:rwx
group::r--
group:wheel:r--
group:3000000:r--
group:3000001:r--
group:3000002:r--
mask::rwx
other::---
Using wbinfo:
3000000 BUILTIN\Server Operators 4
3000001 NT AUTHORITY\SYSTEM 5
3000002 NT AUTHORITY\Authenticated Users 5
but Authenticated Users do not get read access. . .
maybe I'm wrong but in unix world you need x bit to be able to go into the
directory.
Luf
Hi Luf, hi everyone
OK, this was the clue I needed.
I set the ACE's to r-x:
setfacl -Rm g:3000000:rx sysvol/
setfacl -Rm g:3000001:rx sysvol/
setfacl -Rm g:3000002:rx sysvol/
setfacl -Rm g::rx sysvol/
setfacl -Rm g:wheel:rx sysvol/
and same for the default ACE's:
setfacl -d -Rm g:3000000:rx sysvol/
(...)
The ACE's now look like this:
getfacl sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: wheel
# flags: s--
user::rwx
user:root:r-x
group::r-x
group:wheel:r-x
group:3000000:r-x
group:3000001:r-x
group:3000002:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:3000001:r-x
default:group:3000002:r-x
default:mask::r-x
default:other::---
Conclusion: The sysvol ACL's are not set correctly after running:
samba-tool ntacl sysvolreset
because e.g. authenticated users cannot get into the share to read the GPO's
Maybe this is just with my distro, openSUSE as others have not reported
any problems.
Could a dev have a look at it? I'm sure I've not set the sysvol ACL's
correctly but at least now folder redirection works.
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
