[Samba] permissions with samba-tool dsacl
Yosel Lazaro Vera Gonzalez
ylvera at estudiantes.uci.cu
Fri Mar 20 23:18:17 MDT 2015
!! Regards !!
I'm working on delegating permissions on samba 4, I am currently using version 4.2, my problem is using the samba -tool dsacl command. With this command I can add ACEs to the security descriptor of objects. The point is , h ow I can remove ACE security descriptor ? , how can I do to deny a permit granted without adding an ACE. I need to do it this way because reading the security descriptor , I can know the object permissions.
I can not use any tool Window.
For example I grant permission to modify the members of a group to a user in this way, this user is the admin of the group :
>> samba-tool dsacl set --objectdn="CN=test,OU=aula1,DC=dominio,DC=pdc,DC=cu" --sddl="(OA;;WP;bf9679c0-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3236796257-2606434236-1353340688-1106)"
But when I remove this permission in the same way with the same command but only changing the ACE type:
>> samba-tool dsacl set --objectdn="CN=test,OU=aula1,DC=dominio,DC=pdc,DC=cu" --sddl="(OD;;WP;bf9679c0-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3236796257-2606434236-1353340688-1106)"
I find both ACE in the security descriptor and is a problem to find the permissions of the object ,
How I can identify which ACE is active ? or How to remove an ACE security descriptor ?
More information about the samba
mailing list