[Samba] samba tool and sysvol/gpo checks error/bugged? ( but it all works ok)
Rowland Penny
rowlandpenny at googlemail.com
Wed Jun 17 02:53:51 MDT 2015
On 17/06/15 08:15, L.P.H. van Belle wrote:
> Hai,
>
> im running samba 4.2.2 sernet on debian.
>
> when i run :
> samba-tool gpo aclcheck -UAdministrator
>
> im getting :
> ERROR: Invalid GPO ACL
> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> and it tells me it should be
> O:DAG:DAD:P (A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>
> the only difference : O:DAG:DAD:PAI <> O:DAG:DAD:P
>
> the strange thing. it complains about something.else.tld\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}
>
> checked the rights.
> getfacl \{EAF212FE-4718-4693-BD18-6B4FC8A0513A\}/
>
> # file: {EAF212FE-4718-4693-BD18-6B4FC8A0513A}/
> # owner: domain\040admins
> # group: domain\040admins
> user::rwx
> user:3000002:rwx
> user:3000003:r-x
> user:enterprise\040admins:rwx
> user:3000010:r-x
> group::rwx
> group:3000002:rwx
> group:3000003:r-x
> group:enterprise\040admins:rwx
> group:domain\040admins:rwx
> group:3000010:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:enterprise\040admins:rwx
> default:user:domain\040admins:rwx
> default:user:3000010:r-x
> default:group::---
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:enterprise\040admins:rwx
> default:group:domain\040admins:rwx
> default:group:3000010:r-x
> default:mask::rwx
> default:other::---
>
> and on an other folder
> getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/
> # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
> # owner: domain\040admins
> # group: domain\040admins
> user::rwx
> user:3000002:rwx
> user:3000003:r-x
> user:enterprise\040admins:rwx
> user:3000010:r-x
> group::rwx
> group:3000002:rwx
> group:3000003:r-x
> group:enterprise\040admins:rwx
> group:domain\040admins:rwx
> group:3000010:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:enterprise\040admins:rwx
> default:user:domain\040admins:rwx
> default:user:3000010:r-x
> default:group::---
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:enterprise\040admins:rwx
> default:group:domain\040admins:rwx
> default:group:3000010:r-x
> default:mask::rwx
> default:other::---
>
>
> both have same rights, but only 1 is complaining about incorrect setting..
>
> And this was AFTER running :
> samba-tool gpo aclcheck
> ERROR: Error connecting to 'dc1.something.else.tld' using SMB
>
> samba-tool gpo aclcheck -UAdministrator
> Password for [SOMETHING\Administrator]:
> ERROR: Invalid GPO ACL O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)
> (A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) on path (rotterdam.bazuin.nl\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}),
> should be
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>
> did we hit a bug here? i done see whats wrong, and all is working as it should.
>
> Greetz,
>
> Louis
>
>
Hi Louis,
You have run into something that has been bugging me, the ACE's are
correct but the owner or dacl flags or wrong, things that I think do not
really matter as far as windows is concerned.
Have a look here:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379570%28v=vs.85%29.aspx
And here: http://www.netid.washington.edu/documentation/domains/sddl.aspx
My understanding is the ACE's are the things that matter, these are what
come up in the security tab and who owns the file/dir doesn't really matter.
Rowland
More information about the samba
mailing list