Re: [Samba] Samba4 and sysvol share
For beginners, I would like to contribute with the steps I followed to make Bind, Ntp and Samba4 work together on Debian Lenny. How can I do it? Make a wiki account, and then let me know the username. Try not to make a duplicate of the main HOWTO, but feel free to create a page with distribution-specific assistance. Andrew Bartlett Thank you. I made an account. Username: felixcarb. Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and sysvol share
On Mon, 2011-11-07 at 08:34 -0500, fe...@epepm.cupet.cu wrote: Hello Felix, Sorry for the very late answer, Well I remade a test today, in gpmc.msc (group policy management console), I have no errors from Windows about the ACLs of the folders for my policies. Thanks a lot for your answers, Matthieu and Christopher. It makes me happy to know that you guys don't forget to answer the questions of samba users. My first solution was changing the permissions of the sysvol directory in my linux box to 755 (I think 644 could work too) after defining the policies I needed for my domain. I'm a newbie in Linux and in Samba that's why at the begining I didn't realize that my filesystem did not support the user_xattr option and I had skipped that part of the HowTo. I'm so sorry for taking some of your precious time. Now I'm learning how to compile a kernel to include the needed options and I'm pretty sure that will fix my issue. For beginners, I would like to contribute with the steps I followed to make Bind, Ntp and Samba4 work together on Debian Lenny. How can I do it? Make a wiki account, and then let me know the username. Try not to make a duplicate of the main HOWTO, but feel free to create a page with distribution-specific assistance. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and sysvol share
Hello Felix, Sorry for the very late answer, Well I remade a test today, in gpmc.msc (group policy management console), I have no errors from Windows about the ACLs of the folders for my policies. Thanks a lot for your answers, Matthieu and Christopher. It makes me happy to know that you guys don't forget to answer the questions of samba users. My first solution was changing the permissions of the sysvol directory in my linux box to 755 (I think 644 could work too) after defining the policies I needed for my domain. I'm a newbie in Linux and in Samba that's why at the begining I didn't realize that my filesystem did not support the user_xattr option and I had skipped that part of the HowTo. I'm so sorry for taking some of your precious time. Now I'm learning how to compile a kernel to include the needed options and I'm pretty sure that will fix my issue. For beginners, I would like to contribute with the steps I followed to make Bind, Ntp and Samba4 work together on Debian Lenny. How can I do it? My best wishes for the Samba team and users. Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and sysvol share
Alright, here is update Felix. From a default install, at least on the server I set up, sysvol is Authenticated Users(read/execute), Domain Admins(all), System(all). It and all children. As you dive deeper into folder structure there are some more added like Enterprise Admins and so forth(will full privileges). I believe Owner is also one as you get further down and it has no privileges set. Chris Today I downloaded samba4 alpha 17 tar again. I made a new virtual machine and I installed ntp 4.2.6, Bind9 9.8.0 and Samba4 alpha 17 on Debian Lenny. To see the content of sysvol from a Windows client I had to authenticate using a user of my new domain, but again when I checked the Security Tab in sysvol I saw that Everyone has special permissions, meaning Full Access. Does it have something to do with the filesystem support mentioned in the HowTo??? Thanks in advance. Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and sysvol share
Alright, here is update Felix. From a default install, at least on the server I set up, sysvol is Authenticated Users(read/execute), Domain Admins(all), System(all). It and all children. As you dive deeper into folder structure there are some more added like Enterprise Admins and so forth(will full privileges). I believe Owner is also one as you get further down and it has no privileges set. Chris On Wed, Sep 28, 2011 at 4:25 PM, Christopher Whitehead cwhitehea...@gmail.com wrote: No problem. That setup I was talking about is running same version of Samba4 that you are. Yea, that is definitely not good if someone could go in there and change what login scripts were run or what they are suppose to do. If it is indeed this way, then definitely nice find on your end. Will have to be reported as config issue or something with Samba4 alpha17. It will probably be after lunch before I can let ya know though. I'm waiting on a monitor to come in for a setup they needed. So right after that gets over here tomorrow will head over there and get back with ya. On Wed, Sep 28, 2011 at 3:41 PM, fe...@epepm.cupet.cu wrote: Definitely that is where your login scripts and so forth are or the general place that you are suppose to put them. I've got to go do some work over at a place I have a Samba4 PDC setup tomorrow. Did you mess with the permissions or don't recall? Was it like that when you installed? I wouldn't allow Everyone to have access. Go the Authenticated Users route or maybe Domain Users with read/execute permissions. I'll check all the different users on it tomorrow for ya and drop back a line to this thread though. There might be a phantom User that only Samba knows about that is listed there that might be specific to your install. It would be nice if someone chimed in here, have been wondering about that... ;) Chris Hi Chris: It's a recent test installation using Samba4 alpha 17 tar. I have done nothing with the permissions. I haven't even touched smb.conf. I was browsing the content of sysvol in my Samba4 server with a domain user I created and then I tried deleting a file and I could do it, tried with the whole content of sysvol and I could delete all. Then I reinstalled samba and tried again with a new domain user, and could do it again. The permission on a Windows 2003 server are as shown below and you're right only authenticated users should have read and execute permissions. But I tried with a windows client in a virtual pc against a real windows 2003 server and surprisingly I could list the content of sysvol in spite of this virtual pc not being a member of the windows 2003 server domain. That's why I suggested that may be it would be ok to allow everyone read and execute permissions. My mistake. Unauthenticated users have no access to sysvol in windows 2003 server. Sorry!!! On Wed, Sep 28, 2011 at 1:55 PM, fe...@epepm.cupet.cu wrote: On 28/09/2011 04:59, fe...@epepm.cupet.cu wrote: On 27/09/2011 13:07, fe...@epepm.cupet.cu wrote: Hello. I noticed that any domain user can delete the content of the shared folder sysvol in the domain controller from a windows client. How can I avoid that? Greetings, Felix What's the default windows behavior with this ? Matthieu. Windows users Windows permissions - Domain Admins--- Full Access Authenticated Users-- Read Execute, List folder contents, Read CREATOR OWNER--- Special permissions (Maybe we don't need this) Server Operators Read Execute, List folder contents, Read SYSTEM-- Full Access I think that what it is needed here is: Domain Admins- Full Access and everybody else Read Execute, List folder contents, Read I think that GPOs and some scripts are delivered to windows clients through sysvol, that's why I don't want any of my users to be able to delete the sysvol content. What should I do to accomplish that goal? In theory we should have the ACLs ok, I have to check this things but it won't be before next week I'm at IOLAB with microsoft this week focusing on FRS replication. Sorry. Matthieu. I understand. I'll be waiting for an answer. Thanks. Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions:
Re: [Samba] Samba4 and sysvol share
On 27/09/2011 13:07, fe...@epepm.cupet.cu wrote: Hello. I noticed that any domain user can delete the content of the shared folder sysvol in the domain controller from a windows client. How can I avoid that? Greetings, Felix What's the default windows behavior with this ? Matthieu. Windows users Windows permissions - Domain Admins--- Full Access Authenticated Users-- Read Execute, List folder contents, Read CREATOR OWNER--- Special permissions (Maybe we don't need this) Server Operators Read Execute, List folder contents, Read SYSTEM-- Full Access I think that what it is needed here is: Domain Admins- Full Access and everybody else Read Execute, List folder contents, Read I think that GPOs and some scripts are delivered to windows clients through sysvol, that's why I don't want any of my users to be able to delete the sysvol content. What should I do to accomplish that goal? Thanks in advance. Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and sysvol share
On 28/09/2011 04:59, fe...@epepm.cupet.cu wrote: On 27/09/2011 13:07, fe...@epepm.cupet.cu wrote: Hello. I noticed that any domain user can delete the content of the shared folder sysvol in the domain controller from a windows client. How can I avoid that? Greetings, Felix What's the default windows behavior with this ? Matthieu. Windows users Windows permissions - Domain Admins--- Full Access Authenticated Users-- Read Execute, List folder contents, Read CREATOR OWNER--- Special permissions (Maybe we don't need this) Server Operators Read Execute, List folder contents, Read SYSTEM-- Full Access I think that what it is needed here is: Domain Admins- Full Access and everybody else Read Execute, List folder contents, Read I think that GPOs and some scripts are delivered to windows clients through sysvol, that's why I don't want any of my users to be able to delete the sysvol content. What should I do to accomplish that goal? In theory we should have the ACLs ok, I have to check this things but it won't be before next week I'm at IOLAB with microsoft this week focusing on FRS replication. Sorry. Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and sysvol share
On 28/09/2011 04:59, fe...@epepm.cupet.cu wrote: On 27/09/2011 13:07, fe...@epepm.cupet.cu wrote: Hello. I noticed that any domain user can delete the content of the shared folder sysvol in the domain controller from a windows client. How can I avoid that? Greetings, Felix What's the default windows behavior with this ? Matthieu. Windows users Windows permissions - Domain Admins--- Full Access Authenticated Users-- Read Execute, List folder contents, Read CREATOR OWNER--- Special permissions (Maybe we don't need this) Server Operators Read Execute, List folder contents, Read SYSTEM-- Full Access I think that what it is needed here is: Domain Admins- Full Access and everybody else Read Execute, List folder contents, Read I think that GPOs and some scripts are delivered to windows clients through sysvol, that's why I don't want any of my users to be able to delete the sysvol content. What should I do to accomplish that goal? In theory we should have the ACLs ok, I have to check this things but it won't be before next week I'm at IOLAB with microsoft this week focusing on FRS replication. Sorry. Matthieu. I understand. I'll be waiting for an answer. Thanks. Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and sysvol share
Definitely that is where your login scripts and so forth are or the general place that you are suppose to put them. I've got to go do some work over at a place I have a Samba4 PDC setup tomorrow. Did you mess with the permissions or don't recall? Was it like that when you installed? I wouldn't allow Everyone to have access. Go the Authenticated Users route or maybe Domain Users with read/execute permissions. I'll check all the different users on it tomorrow for ya and drop back a line to this thread though. There might be a phantom User that only Samba knows about that is listed there that might be specific to your install. It would be nice if someone chimed in here, have been wondering about that... ;) Chris On Wed, Sep 28, 2011 at 1:55 PM, fe...@epepm.cupet.cu wrote: On 28/09/2011 04:59, fe...@epepm.cupet.cu wrote: On 27/09/2011 13:07, fe...@epepm.cupet.cu wrote: Hello. I noticed that any domain user can delete the content of the shared folder sysvol in the domain controller from a windows client. How can I avoid that? Greetings, Felix What's the default windows behavior with this ? Matthieu. Windows users Windows permissions - Domain Admins--- Full Access Authenticated Users-- Read Execute, List folder contents, Read CREATOR OWNER--- Special permissions (Maybe we don't need this) Server Operators Read Execute, List folder contents, Read SYSTEM-- Full Access I think that what it is needed here is: Domain Admins- Full Access and everybody else Read Execute, List folder contents, Read I think that GPOs and some scripts are delivered to windows clients through sysvol, that's why I don't want any of my users to be able to delete the sysvol content. What should I do to accomplish that goal? In theory we should have the ACLs ok, I have to check this things but it won't be before next week I'm at IOLAB with microsoft this week focusing on FRS replication. Sorry. Matthieu. I understand. I'll be waiting for an answer. Thanks. Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and sysvol share
Definitely that is where your login scripts and so forth are or the general place that you are suppose to put them. I've got to go do some work over at a place I have a Samba4 PDC setup tomorrow. Did you mess with the permissions or don't recall? Was it like that when you installed? I wouldn't allow Everyone to have access. Go the Authenticated Users route or maybe Domain Users with read/execute permissions. I'll check all the different users on it tomorrow for ya and drop back a line to this thread though. There might be a phantom User that only Samba knows about that is listed there that might be specific to your install. It would be nice if someone chimed in here, have been wondering about that... ;) Chris Hi Chris: It's a recent test installation using Samba4 alpha 17 tar. I have done nothing with the permissions. I haven't even touched smb.conf. I was browsing the content of sysvol in my Samba4 server with a domain user I created and then I tried deleting a file and I could do it, tried with the whole content of sysvol and I could delete all. Then I reinstalled samba and tried again with a new domain user, and could do it again. The permission on a Windows 2003 server are as shown below and you're right only authenticated users should have read and execute permissions. But I tried with a windows client in a virtual pc against a real windows 2003 server and surprisingly I could list the content of sysvol in spite of this virtual pc not being a member of the windows 2003 server domain. That's why I suggested that may be it would be ok to allow everyone read and execute permissions. On Wed, Sep 28, 2011 at 1:55 PM, fe...@epepm.cupet.cu wrote: On 28/09/2011 04:59, fe...@epepm.cupet.cu wrote: On 27/09/2011 13:07, fe...@epepm.cupet.cu wrote: Hello. I noticed that any domain user can delete the content of the shared folder sysvol in the domain controller from a windows client. How can I avoid that? Greetings, Felix What's the default windows behavior with this ? Matthieu. Windows users Windows permissions - Domain Admins--- Full Access Authenticated Users-- Read Execute, List folder contents, Read CREATOR OWNER--- Special permissions (Maybe we don't need this) Server Operators Read Execute, List folder contents, Read SYSTEM-- Full Access I think that what it is needed here is: Domain Admins- Full Access and everybody else Read Execute, List folder contents, Read I think that GPOs and some scripts are delivered to windows clients through sysvol, that's why I don't want any of my users to be able to delete the sysvol content. What should I do to accomplish that goal? In theory we should have the ACLs ok, I have to check this things but it won't be before next week I'm at IOLAB with microsoft this week focusing on FRS replication. Sorry. Matthieu. I understand. I'll be waiting for an answer. Thanks. Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and sysvol share
Definitely that is where your login scripts and so forth are or the general place that you are suppose to put them. I've got to go do some work over at a place I have a Samba4 PDC setup tomorrow. Did you mess with the permissions or don't recall? Was it like that when you installed? I wouldn't allow Everyone to have access. Go the Authenticated Users route or maybe Domain Users with read/execute permissions. I'll check all the different users on it tomorrow for ya and drop back a line to this thread though. There might be a phantom User that only Samba knows about that is listed there that might be specific to your install. It would be nice if someone chimed in here, have been wondering about that... ;) Chris Hi Chris: It's a recent test installation using Samba4 alpha 17 tar. I have done nothing with the permissions. I haven't even touched smb.conf. I was browsing the content of sysvol in my Samba4 server with a domain user I created and then I tried deleting a file and I could do it, tried with the whole content of sysvol and I could delete all. Then I reinstalled samba and tried again with a new domain user, and could do it again. The permission on a Windows 2003 server are as shown below and you're right only authenticated users should have read and execute permissions. But I tried with a windows client in a virtual pc against a real windows 2003 server and surprisingly I could list the content of sysvol in spite of this virtual pc not being a member of the windows 2003 server domain. That's why I suggested that may be it would be ok to allow everyone read and execute permissions. My mistake. Unauthenticated users have no access to sysvol in windows 2003 server. Sorry!!! On Wed, Sep 28, 2011 at 1:55 PM, fe...@epepm.cupet.cu wrote: On 28/09/2011 04:59, fe...@epepm.cupet.cu wrote: On 27/09/2011 13:07, fe...@epepm.cupet.cu wrote: Hello. I noticed that any domain user can delete the content of the shared folder sysvol in the domain controller from a windows client. How can I avoid that? Greetings, Felix What's the default windows behavior with this ? Matthieu. Windows users Windows permissions - Domain Admins--- Full Access Authenticated Users-- Read Execute, List folder contents, Read CREATOR OWNER--- Special permissions (Maybe we don't need this) Server Operators Read Execute, List folder contents, Read SYSTEM-- Full Access I think that what it is needed here is: Domain Admins- Full Access and everybody else Read Execute, List folder contents, Read I think that GPOs and some scripts are delivered to windows clients through sysvol, that's why I don't want any of my users to be able to delete the sysvol content. What should I do to accomplish that goal? In theory we should have the ACLs ok, I have to check this things but it won't be before next week I'm at IOLAB with microsoft this week focusing on FRS replication. Sorry. Matthieu. I understand. I'll be waiting for an answer. Thanks. Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and sysvol share
No problem. That setup I was talking about is running same version of Samba4 that you are. Yea, that is definitely not good if someone could go in there and change what login scripts were run or what they are suppose to do. If it is indeed this way, then definitely nice find on your end. Will have to be reported as config issue or something with Samba4 alpha17. It will probably be after lunch before I can let ya know though. I'm waiting on a monitor to come in for a setup they needed. So right after that gets over here tomorrow will head over there and get back with ya. On Wed, Sep 28, 2011 at 3:41 PM, fe...@epepm.cupet.cu wrote: Definitely that is where your login scripts and so forth are or the general place that you are suppose to put them. I've got to go do some work over at a place I have a Samba4 PDC setup tomorrow. Did you mess with the permissions or don't recall? Was it like that when you installed? I wouldn't allow Everyone to have access. Go the Authenticated Users route or maybe Domain Users with read/execute permissions. I'll check all the different users on it tomorrow for ya and drop back a line to this thread though. There might be a phantom User that only Samba knows about that is listed there that might be specific to your install. It would be nice if someone chimed in here, have been wondering about that... ;) Chris Hi Chris: It's a recent test installation using Samba4 alpha 17 tar. I have done nothing with the permissions. I haven't even touched smb.conf. I was browsing the content of sysvol in my Samba4 server with a domain user I created and then I tried deleting a file and I could do it, tried with the whole content of sysvol and I could delete all. Then I reinstalled samba and tried again with a new domain user, and could do it again. The permission on a Windows 2003 server are as shown below and you're right only authenticated users should have read and execute permissions. But I tried with a windows client in a virtual pc against a real windows 2003 server and surprisingly I could list the content of sysvol in spite of this virtual pc not being a member of the windows 2003 server domain. That's why I suggested that may be it would be ok to allow everyone read and execute permissions. My mistake. Unauthenticated users have no access to sysvol in windows 2003 server. Sorry!!! On Wed, Sep 28, 2011 at 1:55 PM, fe...@epepm.cupet.cu wrote: On 28/09/2011 04:59, fe...@epepm.cupet.cu wrote: On 27/09/2011 13:07, fe...@epepm.cupet.cu wrote: Hello. I noticed that any domain user can delete the content of the shared folder sysvol in the domain controller from a windows client. How can I avoid that? Greetings, Felix What's the default windows behavior with this ? Matthieu. Windows users Windows permissions - Domain Admins--- Full Access Authenticated Users-- Read Execute, List folder contents, Read CREATOR OWNER--- Special permissions (Maybe we don't need this) Server Operators Read Execute, List folder contents, Read SYSTEM-- Full Access I think that what it is needed here is: Domain Admins- Full Access and everybody else Read Execute, List folder contents, Read I think that GPOs and some scripts are delivered to windows clients through sysvol, that's why I don't want any of my users to be able to delete the sysvol content. What should I do to accomplish that goal? In theory we should have the ACLs ok, I have to check this things but it won't be before next week I'm at IOLAB with microsoft this week focusing on FRS replication. Sorry. Matthieu. I understand. I'll be waiting for an answer. Thanks. Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and sysvol share
On 27/09/2011 13:07, fe...@epepm.cupet.cu wrote: Hello. I noticed that any domain user can delete the content of the shared folder sysvol in the domain controller from a windows client. How can I avoid that? Greetings, Felix What's the default windows behavior with this ? Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and sysvol share
On 27/09/2011 13:07, fe...@epepm.cupet.cu wrote: Hello. I noticed that any domain user can delete the content of the shared folder sysvol in the domain controller from a windows client. How can I avoid that? Greetings, Felix What's the default windows behavior with this ? Matthieu. Windows users Windows permissions - Domain Admins--- Full Access Authenticated User-- Read Execute, List folder contents, Read CREATOR OWNER--- Special permissions (Maybe we don't need this) Server Operators Read Execute, List folder contents, Read SYSTEM-- Full Access Thanks for your attention. Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
