[Samba] Adding Share Windows ACL
L.P.H. van Belle
belle at bazuin.nl
Fri Jan 26 10:41:17 UTC 2018
Yes, your right and not.. .. Sorry..
>
> This is a sddl of a GPO in sysvol:
>
> O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0
> x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-
> 5-21-2695348288-4157658249-429813502-519)
>
> The important part is at the start:
>
> O:DAG:DAD:
>
> O = owner
> G = group
> DA = Domain Admins
>
> The only way this can occur on a Unix DC is if Domain Admins doesn't
> have a gidNumber attribute.
Yes yes, i know. About 1 year ago we both look this all up..
The sddl is fine, and works better if you set ignore systemacls.
Because then you can have O:DAG:DAD: its only not shown on the system..
This imo also the interesting part and still i dont agree,.. Because
I have do gid's on "domain users/guest/admins" on my AD backend DC's and members.
0 problems here.
getent group "domain users"
domain users:x:10000:.... Here all my users with uid.
getent group "domain admins"
domain admins:x:10001:admin,administrator
getent group "domain guests"
domain guests:x:10002:guest
domain computers:x:10006:
Yes. Here no computer in the group, but gid was added, this works fine.
Test it Rowland and you will see it works, maybe i found some great loopholes here..
But i really like the ignore systemacl because if fixes a lot of SID/UID/GID related problems.
I also advice to use it the least as possible, but imo, sysvol netlogin profiles users and a deploy share
really bennefit from the parameter.
This work really good for me, as of samba 4.4+ now at 4.7.4.
Greetz,
Louis
>
> > Only one BEWARE !!
> > If you change to ignore systemacls, you MUST RE-APPPLY ALL SHARE AND
> > SECURITY SETTINGS AGAIN! And for sysvol, set it and forget it, dont
> > run samba-tool sysvolreset !
> >
>
> Yes, do not run sysvolreset, but not because of this problem, it is
> because the underlying 'C' code doesn't set the ACLs correctly, see:
>
> https://bugzilla.samba.org/show_bug.cgi?id=12924
>
> Rowland
>
>
More information about the samba
mailing list