about acl
Matthieu Patou
mat+Informatique.Samba at matws.net
Wed May 5 09:33:55 MDT 2010
Hello Nadya,
It's pretty intersting to see that with a fresh provisionned samba4 it's ok.
I'll try to find out what's wrong with my provision still I have the
impression that GPMC is doing some verification with SYSVOL ACL also.
Here is the ACL of the default GPO of the domain
dn:
CN={4052DF49-D874-493F-A45B-B54700610ADD},CN=Policies,CN=System,DC=home,DC=matws,DC=net
nTSecurityDescriptor:
O:DAG:DUD:P(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPW
PCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CIIO;RPWPCCDC
LCLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU
)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;RPLCLORC;;;ED)S:AI(
OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00a
a003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6
-11d0-a285-00aa003049e2;WD)
For the info here is the ACLs of a GPO object just provisionned:
dn:
CN=User,CN={F9589A61-B3A6-4C33-8A49-435E5A020171},CN=Policies,CN=System,DC=home,DC=matws,DC=net
nTSecurityDescriptor:
O:DAG:DUD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP
CRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;CIID;RPWPCCDCLCLORCWOWDSDDTS
W;;;DA)(A;CIID;RPWPCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIIOID;RPWPCCDCLCLORCWOWDSDDT
SW;;;CO)(A;ID;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CIID;RPWPCCDCLCLORCWOWDSDDTSW;
;;SY)(A;CIID;RPLCLORC;;;AU)(OA;CIID;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;
AU)(A;CIID;RPLCLORC;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367
c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b
603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
Matthieu
On 05/05/2010 12:15, Nadezhda Ivanova wrote:
> Hi Matthieu,
> It seems we are missing an IO flag in some of the ACEs. I have no idea why
> yet, but I'll figure it out, thanks for your help!
>
> Regards,
> Nadya
>
> On Wed, May 5, 2010 at 9:58 AM, Matthieu Patou<
> mat+Informatique.Samba at matws.net<mat%2BInformatique.Samba at matws.net>>wrote:
>
>
>> C:\Users\Administrator\Desktop>subinacl.exe /file
>> C:\Windows\SYSVOL\domain\Polic
>> ies\{B0621D01-0E36-4F6F-8B9E-E1E193EDB7F4} /display=sddl
>>
>>
>> scripting/python/samba/ntacls.py
>>
>>
>> w2k8r2
>> FS:
>> O:DAG:DAD:PARAI(A;OICI;FA;;;DA)(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICI;0x1
>> 200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICIIO;FA;;;CO)
>>
>> DS:
>> nTSecurityDescriptor:
>> O:DAG:DAD:PAI(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f
>>
>> 939;;AU)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA
>>
>> )(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;EA)(A;CI;RPLCLORC;;;ED)(A;CI;RPLCLORC;;;AU)
>>
>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)S:A
>>
>> I(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30
>>
>> e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU
>>
>> ;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00a
>> a003049e2;WD)
>>
>>
>> Samba
>> FS:
>>
>> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001f01ff;;;DA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>
>> DS:
>> nTSecurityDescriptor:
>> O:DAG:DUD:P(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPW
>>
>> PCCDCLCLORCWOWDSDDTSW;;;EA)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CIIO;RPWPCCDC
>>
>> LCLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU
>>
>> )(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;RPLCLORC;;;ED)S:AI(
>>
>> OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00a
>>
>> a003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6
>> -11d0-a285-00aa003049e2;WD)
>>
>>
>>
>
More information about the samba-technical
mailing list