[Samba] samba tool and sysvol/gpo checks error/bugged? ( but it all works ok)

L.P.H. van Belle belle at bazuin.nl
Wed Jun 17 03:03:26 MDT 2015 

 

>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: woensdag 17 juni 2015 10:54
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] samba tool and sysvol/gpo checks 
>error/bugged? ( but it all works ok)
>
>On 17/06/15 08:15, L.P.H. van Belle wrote:
>> Hai,
>>   
>> im running samba 4.2.2 sernet on debian.
>>   
>> when i run :
>> samba-tool gpo aclcheck -UAdministrator
>>   
>> im getting :
>> ERROR: Invalid GPO ACL
>> 
>O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A
>;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
>1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>> and it tells me it should be
>> O:DAG:DAD:P  
>(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
>f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;O
>ICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>   
>> the only difference : O:DAG:DAD:PAI   <>  O:DAG:DAD:P
>>   
>> the strange thing.  it complains about  
>something.else.tld\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}
>>   
>> checked the rights.
>> getfacl \{EAF212FE-4718-4693-BD18-6B4FC8A0513A\}/
>>   
>> # file: {EAF212FE-4718-4693-BD18-6B4FC8A0513A}/
>> # owner: domain\040admins
>> # group: domain\040admins
>> user::rwx
>> user:3000002:rwx
>> user:3000003:r-x
>> user:enterprise\040admins:rwx
>> user:3000010:r-x
>> group::rwx
>> group:3000002:rwx
>> group:3000003:r-x
>> group:enterprise\040admins:rwx
>> group:domain\040admins:rwx
>> group:3000010:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:3000002:rwx
>> default:user:3000003:r-x
>> default:user:enterprise\040admins:rwx
>> default:user:domain\040admins:rwx
>> default:user:3000010:r-x
>> default:group::---
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:group:enterprise\040admins:rwx
>> default:group:domain\040admins:rwx
>> default:group:3000010:r-x
>> default:mask::rwx
>> default:other::---
>>
>> and on an other folder
>>   getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/
>> # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
>> # owner: domain\040admins
>> # group: domain\040admins
>> user::rwx
>> user:3000002:rwx
>> user:3000003:r-x
>> user:enterprise\040admins:rwx
>> user:3000010:r-x
>> group::rwx
>> group:3000002:rwx
>> group:3000003:r-x
>> group:enterprise\040admins:rwx
>> group:domain\040admins:rwx
>> group:3000010:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:3000002:rwx
>> default:user:3000003:r-x
>> default:user:enterprise\040admins:rwx
>> default:user:domain\040admins:rwx
>> default:user:3000010:r-x
>> default:group::---
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:group:enterprise\040admins:rwx
>> default:group:domain\040admins:rwx
>> default:group:3000010:r-x
>> default:mask::rwx
>> default:other::---
>>
>>   
>> both have same rights, but only 1 is complaining about 
>incorrect setting..
>>   
>> And this was AFTER  running :
>> samba-tool gpo aclcheck
>> ERROR: Error connecting to 'dc1.something.else.tld' using SMB
>>
>> samba-tool gpo aclcheck -UAdministrator
>> Password for [SOMETHING\Administrator]:
>> ERROR: Invalid GPO ACL 
>O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A
>;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)
>> 
>(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x00120
>0a9;;;ED) on path 
>(rotterdam.bazuin.nl\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}),
>> should be
>> 
>O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;O
>ICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01f
>f;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>
>> did we hit a bug here? i done see whats wrong, and all is 
>working as it should.
>>   
>> Greetz,
>>   
>> Louis
>>   
>>   
>
>Hi Louis,
>You have run into something that has been bugging me, the ACE's are 
>correct but the owner or dacl flags or wrong, things that I 
>think do not 
>really matter as far as windows is concerned.
>
>Have a look here: 
>https://msdn.microsoft.com/en-us/library/windows/desktop/aa3795
>70%28v=vs.85%29.aspx
>
>And here: 
>http://www.netid.washington.edu/documentation/domains/sddl.aspx
>
>My understanding is the ACE's are the things that matter, 
>these are what 
>come up in the security tab and who owns the file/dir doesn't 
>really matter.
>
>Rowland
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

Ah.. yes, i remember, the thiny about windows to be able to set a "group" as owner/user. 

wel as long it works correct,.. 

Thank your for the reply.

Greetz, 

Louis

More information about the samba mailing list