Samba AD: GPO with empty or null DACL
Andrew Bartlett
abartlet at samba.org
Sun Jan 7 21:17:54 UTC 2018
On Wed, 2018-01-03 at 18:25 +0100, Thomas A. Reim via samba-technical
wrote:
> Dear all,
>
> I would appreciate your support for managing the DACL of group policy
> objects on a Samba AD DC.
>
> For testing purposes I need to modify the DACL of an existing GPO to be:
>
> 1. Empty DACL
>
> 2. NULL DACL
>
> Up to now I have not been able to find a way to accomplish this task.
> Microsoft RSAT tools allow to empty the DACL, but the empty DACL is not
> stored in the directory.
>
> Command line tools on the Samba DC (ldapmodify, ldbedit) accept an empty
> DACL, but do not store it in the directory, either. Instead the current
> DACL is kept unchanged.
>
> Is there a feasible way to get these special DACLs stored in the directory?
I'm not entirely sure what you want to do, but I will note that Samba
refuses to consider a totally missing ntSecurityDescriptor to be an
'allow all', and just refuses all operations instead.
sd_element = ldb_msg_find_element(acl_res, "nTSecurityDescriptor");
if (sd_element == NULL) {
return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS,
"nTSecurityDescriptor is missing");
}
if (sd_element->num_values != 1) {
return ldb_operr(ldb);
}
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list