[Samba] samba tool and sysvol/gpo checks error/bugged? ( but it all works ok)
L.P.H. van Belle
belle at bazuin.nl
Wed Jun 17 03:03:26 MDT 2015
>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: woensdag 17 juni 2015 10:54
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] samba tool and sysvol/gpo checks
>error/bugged? ( but it all works ok)
>
>On 17/06/15 08:15, L.P.H. van Belle wrote:
>> Hai,
>>
>> im running samba 4.2.2 sernet on debian.
>>
>> when i run :
>> samba-tool gpo aclcheck -UAdministrator
>>
>> im getting :
>> ERROR: Invalid GPO ACL
>>
>O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A
>;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
>1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>> and it tells me it should be
>> O:DAG:DAD:P
>(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
>f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;O
>ICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>
>> the only difference : O:DAG:DAD:PAI <> O:DAG:DAD:P
>>
>> the strange thing. it complains about
>something.else.tld\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}
>>
>> checked the rights.
>> getfacl \{EAF212FE-4718-4693-BD18-6B4FC8A0513A\}/
>>
>> # file: {EAF212FE-4718-4693-BD18-6B4FC8A0513A}/
>> # owner: domain\040admins
>> # group: domain\040admins
>> user::rwx
>> user:3000002:rwx
>> user:3000003:r-x
>> user:enterprise\040admins:rwx
>> user:3000010:r-x
>> group::rwx
>> group:3000002:rwx
>> group:3000003:r-x
>> group:enterprise\040admins:rwx
>> group:domain\040admins:rwx
>> group:3000010:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:3000002:rwx
>> default:user:3000003:r-x
>> default:user:enterprise\040admins:rwx
>> default:user:domain\040admins:rwx
>> default:user:3000010:r-x
>> default:group::---
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:group:enterprise\040admins:rwx
>> default:group:domain\040admins:rwx
>> default:group:3000010:r-x
>> default:mask::rwx
>> default:other::---
>>
>> and on an other folder
>> getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/
>> # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
>> # owner: domain\040admins
>> # group: domain\040admins
>> user::rwx
>> user:3000002:rwx
>> user:3000003:r-x
>> user:enterprise\040admins:rwx
>> user:3000010:r-x
>> group::rwx
>> group:3000002:rwx
>> group:3000003:r-x
>> group:enterprise\040admins:rwx
>> group:domain\040admins:rwx
>> group:3000010:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:3000002:rwx
>> default:user:3000003:r-x
>> default:user:enterprise\040admins:rwx
>> default:user:domain\040admins:rwx
>> default:user:3000010:r-x
>> default:group::---
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:group:enterprise\040admins:rwx
>> default:group:domain\040admins:rwx
>> default:group:3000010:r-x
>> default:mask::rwx
>> default:other::---
>>
>>
>> both have same rights, but only 1 is complaining about
>incorrect setting..
>>
>> And this was AFTER running :
>> samba-tool gpo aclcheck
>> ERROR: Error connecting to 'dc1.something.else.tld' using SMB
>>
>> samba-tool gpo aclcheck -UAdministrator
>> Password for [SOMETHING\Administrator]:
>> ERROR: Invalid GPO ACL
>O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A
>;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)
>>
>(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x00120
>0a9;;;ED) on path
>(rotterdam.bazuin.nl\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}),
>> should be
>>
>O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;O
>ICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01f
>f;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>
>> did we hit a bug here? i done see whats wrong, and all is
>working as it should.
>>
>> Greetz,
>>
>> Louis
>>
>>
>
>Hi Louis,
>You have run into something that has been bugging me, the ACE's are
>correct but the owner or dacl flags or wrong, things that I
>think do not
>really matter as far as windows is concerned.
>
>Have a look here:
>https://msdn.microsoft.com/en-us/library/windows/desktop/aa3795
>70%28v=vs.85%29.aspx
>
>And here:
>http://www.netid.washington.edu/documentation/domains/sddl.aspx
>
>My understanding is the ACE's are the things that matter,
>these are what
>come up in the security tab and who owns the file/dir doesn't
>really matter.
>
>Rowland
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
Ah.. yes, i remember, the thiny about windows to be able to set a "group" as owner/user.
wel as long it works correct,..
Thank your for the reply.
Greetz,
Louis
More information about the samba
mailing list