Alright, here is update Felix. >From a default install, at least on the server I set up, sysvol is Authenticated Users(read/execute), Domain Admins(all), System(all). It and all children.
As you dive deeper into folder structure there are some more added like Enterprise Admins and so forth(will full privileges). I believe Owner is also one as you get further down and it has no privileges set. Chris On Wed, Sep 28, 2011 at 4:25 PM, Christopher Whitehead < [email protected]> wrote: > No problem. That setup I was talking about is running same version of > Samba4 that you are. Yea, that is definitely not good if someone could go > in there and change what login scripts were run or what they are suppose to > do. > > If it is indeed this way, then definitely nice find on your end. Will have > to be reported as config issue or something with Samba4 alpha17. > > It will probably be after lunch before I can let ya know though. I'm > waiting on a monitor to come in for a setup they needed. So right after > that gets over here tomorrow will head over there and get back with ya. > > > > On Wed, Sep 28, 2011 at 3:41 PM, <[email protected]> wrote: > >> >> Definitely that is where your login scripts and so forth are or the >> >> general >> >> place that you are suppose to put them. I've got to go do some work >> >> over >> >> at >> >> a place I have a Samba4 PDC setup tomorrow. >> >> >> >> Did you mess with the permissions or don't recall? Was it like that >> >> when >> >> you installed? >> >> >> >> I wouldn't allow Everyone to have access. Go the Authenticated Users >> >> route >> >> or maybe Domain Users with read/execute permissions. I'll check all >> the >> >> different users on it tomorrow for ya and drop back a line to this >> >> thread >> >> though. There might be a phantom User that only Samba knows about that >> >> is >> >> listed there that might be specific to your install. >> >> >> >> It would be nice if someone chimed in here, have been wondering about >> >> that... ;) >> >> >> >> Chris >> >> >> > Hi Chris: >> > It's a recent test installation using Samba4 alpha 17 tar. I have done >> > nothing with the permissions. I haven't even touched smb.conf. >> > I was browsing the content of sysvol in my Samba4 server with a domain >> > user I created and then I tried deleting a file and I could do it, tried >> > with the whole content of sysvol and I could delete all. Then I >> > reinstalled samba and tried again with a new domain user, and could do >> it >> > again. >> > >> > The permission on a Windows 2003 server are as shown below and you're >> > right only authenticated users should have read and execute permissions. >> > But I tried with a windows client in a virtual pc against a real windows >> > 2003 server and surprisingly I could list the content of sysvol in spite >> > of this virtual pc not being a member of the windows 2003 server domain. >> > That's why I suggested that may be it would be ok to allow everyone read >> > and execute permissions. >> > >> My mistake. Unauthenticated users have no access to sysvol in windows 2003 >> server. Sorry!!! >> >> > >> > >> >> On Wed, Sep 28, 2011 at 1:55 PM, <[email protected]> wrote: >> >> >> >>> > On 28/09/2011 04:59, [email protected] wrote: >> >>> >>>> On 27/09/2011 13:07, [email protected] wrote: >> >>> >>>>> Hello. >> >>> >>>>> I noticed that any domain user can delete the content of the >> >>> shared >> >>> >>>>> folder >> >>> >>>>> sysvol in the domain controller from a windows client. >> >>> >>>>> >> >>> >>>>> How can I avoid that? >> >>> >>>>> >> >>> >>>>> Greetings, >> >>> >>>>> Felix >> >>> >>>>> >> >>> >>>> What's the default windows behavior with this ? >> >>> >>>> >> >>> >>>> Matthieu. >> >>> >>>> >> >>> >>> Windows users Windows permissions >> >>> >>> ------------------------------------------------- >> >>> >>> Domain Admins-----------> Full Access >> >>> >>> Authenticated Users------> Read& Execute, List folder contents, >> >>> Read >> >>> >>> CREATOR OWNER-----------> Special permissions (Maybe we don't >> need >> >>> >>> this) >> >>> >>> Server Operators--------> Read& Execute, List folder contents, >> >>> Read >> >>> >>> SYSTEM------------------> Full Access >> >>> >>> >> >>> >> I think that what it is needed here is: >> >>> >> Domain Admins-------------> Full Access >> >>> >> and everybody else--------> Read& Execute, List folder contents, >> >>> Read >> >>> >> >> >>> >> I think that GPOs and some scripts are delivered to windows clients >> >>> >> through sysvol, that's why I don't want any of my users to be able >> >>> to >> >>> >> delete the sysvol content. >> >>> >> >> >>> >> What should I do to accomplish that goal? >> >>> > In theory we should have the ACLs ok, I have to check this things >> but >> >>> it >> >>> > won't be before next week I'm at IOLAB with microsoft this week >> >>> focusing >> >>> > on FRS replication. >> >>> > >> >>> > >> >>> > Sorry. >> >>> > >> >>> > Matthieu. >> >>> > >> >>> I understand. I'll be waiting for an answer. >> >>> Thanks. >> >>> >> >>> Felix. >> >>> >> >>> -- >> >>> To unsubscribe from this list go to the following URL and read the >> >>> instructions: https://lists.samba.org/mailman/options/samba >> >>> >> >> -- >> >> To unsubscribe from this list go to the following URL and read the >> >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > >> > >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
