[Samba] samba tool and sysvol/gpo checks error/bugged? ( but it all works ok)
Rowland Penny
rowlandpenny at googlemail.com
Wed Jun 17 03:15:19 MDT 2015
On 17/06/15 10:03, L.P.H. van Belle wrote:
>
>
>> -----Oorspronkelijk bericht-----
>> Van: rowlandpenny at googlemail.com
>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: woensdag 17 juni 2015 10:54
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] samba tool and sysvol/gpo checks
>> error/bugged? ( but it all works ok)
>>
>> On 17/06/15 08:15, L.P.H. van Belle wrote:
>>> Hai,
>>>
>>> im running samba 4.2.2 sernet on debian.
>>>
>>> when i run :
>>> samba-tool gpo aclcheck -UAdministrator
>>>
>>> im getting :
>>> ERROR: Invalid GPO ACL
>>>
>> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A
>> ;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0
>> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>> and it tells me it should be
>>> O:DAG:DAD:P
>> (A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
>> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;O
>> ICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>>
>>> the only difference : O:DAG:DAD:PAI <> O:DAG:DAD:P
>>>
>>> the strange thing. it complains about
>> something.else.tld\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}
>>>
>>> checked the rights.
>>> getfacl \{EAF212FE-4718-4693-BD18-6B4FC8A0513A\}/
>>>
>>> # file: {EAF212FE-4718-4693-BD18-6B4FC8A0513A}/
>>> # owner: domain\040admins
>>> # group: domain\040admins
>>> user::rwx
>>> user:3000002:rwx
>>> user:3000003:r-x
>>> user:enterprise\040admins:rwx
>>> user:3000010:r-x
>>> group::rwx
>>> group:3000002:rwx
>>> group:3000003:r-x
>>> group:enterprise\040admins:rwx
>>> group:domain\040admins:rwx
>>> group:3000010:r-x
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:3000002:rwx
>>> default:user:3000003:r-x
>>> default:user:enterprise\040admins:rwx
>>> default:user:domain\040admins:rwx
>>> default:user:3000010:r-x
>>> default:group::---
>>> default:group:3000002:rwx
>>> default:group:3000003:r-x
>>> default:group:enterprise\040admins:rwx
>>> default:group:domain\040admins:rwx
>>> default:group:3000010:r-x
>>> default:mask::rwx
>>> default:other::---
>>>
>>> and on an other folder
>>> getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/
>>> # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
>>> # owner: domain\040admins
>>> # group: domain\040admins
>>> user::rwx
>>> user:3000002:rwx
>>> user:3000003:r-x
>>> user:enterprise\040admins:rwx
>>> user:3000010:r-x
>>> group::rwx
>>> group:3000002:rwx
>>> group:3000003:r-x
>>> group:enterprise\040admins:rwx
>>> group:domain\040admins:rwx
>>> group:3000010:r-x
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:3000002:rwx
>>> default:user:3000003:r-x
>>> default:user:enterprise\040admins:rwx
>>> default:user:domain\040admins:rwx
>>> default:user:3000010:r-x
>>> default:group::---
>>> default:group:3000002:rwx
>>> default:group:3000003:r-x
>>> default:group:enterprise\040admins:rwx
>>> default:group:domain\040admins:rwx
>>> default:group:3000010:r-x
>>> default:mask::rwx
>>> default:other::---
>>>
>>>
>>> both have same rights, but only 1 is complaining about
>> incorrect setting..
>>>
>>> And this was AFTER running :
>>> samba-tool gpo aclcheck
>>> ERROR: Error connecting to 'dc1.something.else.tld' using SMB
>>>
>>> samba-tool gpo aclcheck -UAdministrator
>>> Password for [SOMETHING\Administrator]:
>>> ERROR: Invalid GPO ACL
>> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A
>> ;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)
>> (A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x00120
>> 0a9;;;ED) on path
>> (rotterdam.bazuin.nl\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}),
>>> should be
>>>
>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;O
>> ICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01f
>> f;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>> did we hit a bug here? i done see whats wrong, and all is
>> working as it should.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>> Hi Louis,
>> You have run into something that has been bugging me, the ACE's are
>> correct but the owner or dacl flags or wrong, things that I
>> think do not
>> really matter as far as windows is concerned.
>>
>> Have a look here:
>> https://msdn.microsoft.com/en-us/library/windows/desktop/aa3795
>> 70%28v=vs.85%29.aspx
>>
>> And here:
>> http://www.netid.washington.edu/documentation/domains/sddl.aspx
>>
>> My understanding is the ACE's are the things that matter,
>> these are what
>> come up in the security tab and who owns the file/dir doesn't
>> really matter.
>>
>> Rowland
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
> Ah.. yes, i remember, the thiny about windows to be able to set a "group" as owner/user.
>
> wel as long it works correct,..
>
> Thank your for the reply.
>
> Greetz,
>
> Louis
>
Well, as you have found, it is and it isn't :-)
Perhaps you could try what it says here:
https://technet.microsoft.com/en-us/library/cc816833%28v=WS.10%29.aspx
There is a link at the bottom of the page to what the default
permissions should be.
Rowland
More information about the samba
mailing list