[Samba] samba tool and sysvol/gpo checks error/bugged? ( but it all works ok)

Wed Jun 17 02:53:51 MDT 2015

On 17/06/15 08:15, L.P.H. van Belle wrote:
> Hai,
>   
> im running samba 4.2.2 sernet on debian.
>   
> when i run :
> samba-tool gpo aclcheck -UAdministrator
>   
> im getting :
> ERROR: Invalid GPO ACL
> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> and it tells me it should be
> O:DAG:DAD:P  (A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>   
> the only difference : O:DAG:DAD:PAI   <>  O:DAG:DAD:P
>   
> the strange thing.  it complains about  something.else.tld\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}
>   
> checked the rights.
> getfacl \{EAF212FE-4718-4693-BD18-6B4FC8A0513A\}/
>   
> # file: {EAF212FE-4718-4693-BD18-6B4FC8A0513A}/
> # owner: domain\040admins
> # group: domain\040admins
> user::rwx
> user:3000002:rwx
> user:3000003:r-x
> user:enterprise\040admins:rwx
> user:3000010:r-x
> group::rwx
> group:3000002:rwx
> group:3000003:r-x
> group:enterprise\040admins:rwx
> group:domain\040admins:rwx
> group:3000010:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:enterprise\040admins:rwx
> default:user:domain\040admins:rwx
> default:user:3000010:r-x
> default:group::---
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:enterprise\040admins:rwx
> default:group:domain\040admins:rwx
> default:group:3000010:r-x
> default:mask::rwx
> default:other::---
>
> and on an other folder
>   getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/
> # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
> # owner: domain\040admins
> # group: domain\040admins
> user::rwx
> user:3000002:rwx
> user:3000003:r-x
> user:enterprise\040admins:rwx
> user:3000010:r-x
> group::rwx
> group:3000002:rwx
> group:3000003:r-x
> group:enterprise\040admins:rwx
> group:domain\040admins:rwx
> group:3000010:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:enterprise\040admins:rwx
> default:user:domain\040admins:rwx
> default:user:3000010:r-x
> default:group::---
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:enterprise\040admins:rwx
> default:group:domain\040admins:rwx
> default:group:3000010:r-x
> default:mask::rwx
> default:other::---
>
>   
> both have same rights, but only 1 is complaining about incorrect setting..
>   
> And this was AFTER  running :
> samba-tool gpo aclcheck
> ERROR: Error connecting to 'dc1.something.else.tld' using SMB
>
> samba-tool gpo aclcheck -UAdministrator
> Password for [SOMETHING\Administrator]:
> ERROR: Invalid GPO ACL O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)
> (A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) on path (rotterdam.bazuin.nl\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}),
> should be
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>
> did we hit a bug here? i done see whats wrong, and all is working as it should.
>   
> Greetz,
>   
> Louis
>   
>   

Hi Louis,
You have run into something that has been bugging me, the ACE's are 
correct but the owner or dacl flags or wrong, things that I think do not 
really matter as far as windows is concerned.

Have a look here: 
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379570%28v=vs.85%29.aspx

And here: http://www.netid.washington.edu/documentation/domains/sddl.aspx

My understanding is the ACE's are the things that matter, these are what 
come up in the security tab and who owns the file/dir doesn't really matter.

Rowland