[Samba] permissions with samba-tool dsacl

Yosel Lazaro Vera Gonzalez ylvera at estudiantes.uci.cu
Fri Mar 20 23:18:17 MDT 2015

!! Regards !! 

I'm working on delegating permissions on samba 4, I am currently using version 4.2, my problem is using the samba -tool dsacl command. With this command I can add ACEs to the security descriptor of objects. The point is , h ow I can remove ACE security descriptor ? , how can I do to deny a permit granted without adding an ACE. I need to do it this way because reading the security descriptor , I can know the object permissions. 
I can not use any tool Window. 

For example I grant permission to modify the members of a group to a user in this way, this user is the admin of the group : 

>> samba-tool dsacl set --objectdn="CN=test,OU=aula1,DC=dominio,DC=pdc,DC=cu" --sddl="(OA;;WP;bf9679c0-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3236796257-2606434236-1353340688-1106)" 

But when I remove this permission in the same way with the same command but only changing the ACE type: 

>> samba-tool dsacl set --objectdn="CN=test,OU=aula1,DC=dominio,DC=pdc,DC=cu" --sddl="(OD;;WP;bf9679c0-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3236796257-2606434236-1353340688-1106)" 

I find both ACE in the security descriptor and is a problem to find the permissions of the object , 
How I can identify which ACE is active ? or How to remove an ACE security descriptor ? 

More information about the samba mailing list