[Samba] samba tool and sysvol/gpo checks error/bugged? ( but it all works ok)
L.P.H. van Belle
belle at bazuin.nl
Wed Jun 17 01:15:59 MDT 2015
Hai,
im running samba 4.2.2 sernet on debian.
when i run :
samba-tool gpo aclcheck -UAdministrator
im getting :
ERROR: Invalid GPO ACL
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
and it tells me it should be
O:DAG:DAD:P (A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
the only difference : O:DAG:DAD:PAI <> O:DAG:DAD:P
the strange thing. it complains about something.else.tld\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}
checked the rights.
getfacl \{EAF212FE-4718-4693-BD18-6B4FC8A0513A\}/
# file: {EAF212FE-4718-4693-BD18-6B4FC8A0513A}/
# owner: domain\040admins
# group: domain\040admins
user::rwx
user:3000002:rwx
user:3000003:r-x
user:enterprise\040admins:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:enterprise\040admins:rwx
group:domain\040admins:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:enterprise\040admins:rwx
default:user:domain\040admins:rwx
default:user:3000010:r-x
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:enterprise\040admins:rwx
default:group:domain\040admins:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---
and on an other folder
getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/
# file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
# owner: domain\040admins
# group: domain\040admins
user::rwx
user:3000002:rwx
user:3000003:r-x
user:enterprise\040admins:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:enterprise\040admins:rwx
group:domain\040admins:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:enterprise\040admins:rwx
default:user:domain\040admins:rwx
default:user:3000010:r-x
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:enterprise\040admins:rwx
default:group:domain\040admins:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---
both have same rights, but only 1 is complaining about incorrect setting..
And this was AFTER running :
samba-tool gpo aclcheck
ERROR: Error connecting to 'dc1.something.else.tld' using SMB
samba-tool gpo aclcheck -UAdministrator
Password for [SOMETHING\Administrator]:
ERROR: Invalid GPO ACL O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)
(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) on path (rotterdam.bazuin.nl\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}),
should be
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
did we hit a bug here? i done see whats wrong, and all is working as it should.
Greetz,
Louis
More information about the samba
mailing list