[Samba] Rights issue on GPO

Mon Jun 27 15:08:46 UTC 2016

Am 27.06.2016 um 15:37 schrieb L.P.H. van Belle:
> A good howto per exampl.e
>
> http://www.itingredients.com/how-to-disable-usb-ports-using-group-policy/
>
> Only i did not do this as computer policy but as user policy.
>
> In short,
> 1) create 2 groups:
>   	USB-Allowed
> 	USB-Denied
>
> 2) create 2 policies objects,
> 	USB-Allowed
> 	USB-Denied
>
> And set in the allow polices
> ( as shown in the link but under the user polcies )
>
> 3) add correct group to the same GPO object.  ( allowed with allowed , etc )
>
> 3) link the polcies objects in a OU where you can test and where the user is.
>
> 4) set the order of these policies to Allowed above the Denied.
> 	Order 123 , is applied as 3 2 1.
> 	1 is highest so..
>
> This is bit like i have ...
>
> Domain users, alle external devices are denied.
> And based on group memberships :
> DVD-Read
> DVD-Write
> USB-.. . etc etc.
>
> And alle these are failing.
> I noticed all security groups which are not "Authenticated Users" are failing.
>
> Which is a problem for me since all my policies are group right based.
>
> I also noticed that in my Samba 4 AD DC domain i have 4 groups in "
> ForeignSecurityPrincipals  (CN=ForeignSecurityPrincipals )
> S-1-5-4	( Member of : Users in CN=Buildin )
> S-1-5-11	( member of : Users and Pre-windows 2000...  ) in CN=Buildin
> S-1-5-17	( member of : IIS_IUSRS  ) in CN=Buildin
> S-1-5-9	( member of : Windows Authorization Access Group ) in CN=Buildin
>
> I dont see any in ForeignSecurityPrincipals on my 2008R
Hi Louis,

I created an USB-Denied Policy and granted rights to an Domain Group 
called "USB-Denied".
In the test environment i do not assign uid's and gid's and completely 
rely on winbindd.

Here are the acl's. The policy applies for an normal user being a 
memeber of "USB-Denied".

root at dc1:~# getfacl 
/var/lib/samba/sysvol/domain.local/Policies/\{8C47B4C4-5084-43CB-BF32-999436E90283\}/
getfacl: Removing leading '/' from absolute path names
# file: 
var/lib/samba/sysvol/domain.local/Policies/{8C47B4C4-5084-43CB-BF32-999436E90283}/
# owner: DOMAIN\134domain\040admins
# group: DOMAIN\134domain\040admins
user::rwx
user:3000002:rwx
user:DOMAIN\134enterprise\040admins:rwx
user:3000010:r-x
user:DOMAIN\134usb\040denied:r-x
group::rwx
group:3000002:rwx
group:DOMAIN\134enterprise\040admins:rwx
group:DOMAIN\134domain\040admins:rwx
group:3000010:r-x
group:DOMAIN\134usb\040denied:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:DOMAIN\134enterprise\040admins:rwx
default:user:DOMAIN\134domain\040admins:rwx
default:user:3000010:r-x
default:user:DOMAIN\134usb\040denied:r-x
default:group::---
default:group:3000002:rwx
default:group:DOMAIN\134enterprise\040admins:rwx
default:group:DOMAIN\134domain\040admins:rwx
default:group:3000010:r-x
default:group:DOMAIN\134usb\040denied:r-x
default:mask::rwx
default:other::---

Replicated to dc2 with

root at dc2:~# rsync -XAavz -e ssh root at dc1:/var/lib/samba/sysvol/ 
/var/lib/samba/sysvol/

These are the acl's on dc2.

root at dc2:~# getfacl 
/var/lib/samba/sysvol/domain.local/Policies/\{8C47B4C4-5084-43CB-BF32-999436E90283\}/
getfacl: Removing leading '/' from absolute path names
# file: 
var/lib/samba/sysvol/domain.local/Policies/{8C47B4C4-5084-43CB-BF32-999436E90283}/
# owner: domain\040admins
# group: domain\040admins
user::rwx
user:guest:rwx
user:enterprise\040admins:rwx
user:denied\040rodc\040password\040replication\040group:r-x
user:usb\040denied:r-x
group::rwx
group:guest:rwx
group:domain\040admins:rwx
group:enterprise\040admins:rwx
group:denied\040rodc\040password\040replication\040group:r-x
group:usb\040denied:r-x
mask::rwx
other::---
default:user::rwx
default:user:guest:rwx
default:user:domain\040admins:rwx
default:user:enterprise\040admins:rwx
default:user:denied\040rodc\040password\040replication\040group:r-x
default:user:usb\040denied:r-x
default:group::---
default:group:guest:rwx
default:group:domain\040admins:rwx
default:group:enterprise\040admins:rwx
default:group:denied\040rodc\040password\040replication\040group:r-x
default:group:usb\040denied:r-x
default:mask::rwx
default:other::---

In this case the gid 3000002 is mapped to the "Guest" group on dc2 and 
30000010 to "denied rodc password replication group".
As an normal user i can not access sysvol on dc2 because the mapping 
/var/lib/samba/sysvol/domain.local is messed up (no Authenticated Users 
ACL).

root at dc2:~# getfacl /var/lib/samba/sysvol
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:guest:rwx
group:domain\040guests:r-x
group:BUILTIN\134server\040operators:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:guest:rwx
default:group:domain\040guests:r-x
default:group:BUILTIN\134server\040operators:r-x
default:mask::rwx
default:other::---

achim~