[Samba] ACLs on OUs

mathias dufresne infractory at gmail.com
Tue Jun 2 05:51:55 MDT 2015 

Hi,

On ADUC version I'm using on Windows 7 the checkbox to "prevent object from
accidental removal" is checked when creating a new OU, that's why I said
"by default". Anyway this behaviour suit my needs: I won't be there once
this project would arrived in production mode and so I can't have any
confidence on how it will be managed...

The workaround I found was using ADSIedit tool to force heritage of ACLs
from parent OU. This tools gives nice choices about which kind of objects
would inherit these permissions and this heritage is set per permissions.
So this grant me to only force heritage of "removal is denied to everyone"
on OU objects which are children of current OU.

Regarding your proposal to fill an enhancement request it could be a good
thing to have a tool provided by Samba which would be easier to use than
"samba-tool dsacl" which seems to be there to modify security descriptor
but which is not really clear on how to use it.
But honestly according to the workaround previously explained and the lot
of work still to be done on Samba 4, I'm not sure this deserve a request
right now...

cheers,

mathias


2015-06-01 21:52 GMT+02:00 Matthieu Patou <mat at samba.org>:

> On 05/28/2015 04:55 AM, mathias dufresne wrote:
>
>> Hi all,
>>
>> When created through RSAT OUs receive, by default, ACLs to refuse removal.
>>
> Actually I don't think it's true.
> By default RSAT tools propose to mark as "prevent object from accidental
> removal".
>
>  When created through LDIF and ldbadd OUs do not receive these ACLs.
>>
>> Is there a way to create these ACLs using command line tools?
>>
> You need to alter the security descriptor do deny the SD and DT rights to
> everyone on the OU, I don't recommend you to do so.
> Would be better to have a tool in samba-tool to mark an object as "prevent
> from accidental removal", you agree please file an enhancement request in
> our bugzilla.
>
>
> --
> Matthieu Patou
> Samba Team
> http://samba.org
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list