[Samba] Rights issue on GPO
Achim Gottinger
achim at ag-web.biz
Mon Jun 27 15:08:46 UTC 2016
Am 27.06.2016 um 15:37 schrieb L.P.H. van Belle:
> A good howto per exampl.e
>
> http://www.itingredients.com/how-to-disable-usb-ports-using-group-policy/
>
> Only i did not do this as computer policy but as user policy.
>
> In short,
> 1) create 2 groups:
> USB-Allowed
> USB-Denied
>
> 2) create 2 policies objects,
> USB-Allowed
> USB-Denied
>
> And set in the allow polices
> ( as shown in the link but under the user polcies )
>
> 3) add correct group to the same GPO object. ( allowed with allowed , etc )
>
> 3) link the polcies objects in a OU where you can test and where the user is.
>
> 4) set the order of these policies to Allowed above the Denied.
> Order 123 , is applied as 3 2 1.
> 1 is highest so..
>
> This is bit like i have ...
>
> Domain users, alle external devices are denied.
> And based on group memberships :
> DVD-Read
> DVD-Write
> USB-.. . etc etc.
>
> And alle these are failing.
> I noticed all security groups which are not "Authenticated Users" are failing.
>
> Which is a problem for me since all my policies are group right based.
>
> I also noticed that in my Samba 4 AD DC domain i have 4 groups in "
> ForeignSecurityPrincipals (CN=ForeignSecurityPrincipals )
> S-1-5-4 ( Member of : Users in CN=Buildin )
> S-1-5-11 ( member of : Users and Pre-windows 2000... ) in CN=Buildin
> S-1-5-17 ( member of : IIS_IUSRS ) in CN=Buildin
> S-1-5-9 ( member of : Windows Authorization Access Group ) in CN=Buildin
>
> I dont see any in ForeignSecurityPrincipals on my 2008R
Hi Louis,
I created an USB-Denied Policy and granted rights to an Domain Group
called "USB-Denied".
In the test environment i do not assign uid's and gid's and completely
rely on winbindd.
Here are the acl's. The policy applies for an normal user being a
memeber of "USB-Denied".
root at dc1:~# getfacl
/var/lib/samba/sysvol/domain.local/Policies/\{8C47B4C4-5084-43CB-BF32-999436E90283\}/
getfacl: Removing leading '/' from absolute path names
# file:
var/lib/samba/sysvol/domain.local/Policies/{8C47B4C4-5084-43CB-BF32-999436E90283}/
# owner: DOMAIN\134domain\040admins
# group: DOMAIN\134domain\040admins
user::rwx
user:3000002:rwx
user:DOMAIN\134enterprise\040admins:rwx
user:3000010:r-x
user:DOMAIN\134usb\040denied:r-x
group::rwx
group:3000002:rwx
group:DOMAIN\134enterprise\040admins:rwx
group:DOMAIN\134domain\040admins:rwx
group:3000010:r-x
group:DOMAIN\134usb\040denied:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:DOMAIN\134enterprise\040admins:rwx
default:user:DOMAIN\134domain\040admins:rwx
default:user:3000010:r-x
default:user:DOMAIN\134usb\040denied:r-x
default:group::---
default:group:3000002:rwx
default:group:DOMAIN\134enterprise\040admins:rwx
default:group:DOMAIN\134domain\040admins:rwx
default:group:3000010:r-x
default:group:DOMAIN\134usb\040denied:r-x
default:mask::rwx
default:other::---
Replicated to dc2 with
root at dc2:~# rsync -XAavz -e ssh root at dc1:/var/lib/samba/sysvol/
/var/lib/samba/sysvol/
These are the acl's on dc2.
root at dc2:~# getfacl
/var/lib/samba/sysvol/domain.local/Policies/\{8C47B4C4-5084-43CB-BF32-999436E90283\}/
getfacl: Removing leading '/' from absolute path names
# file:
var/lib/samba/sysvol/domain.local/Policies/{8C47B4C4-5084-43CB-BF32-999436E90283}/
# owner: domain\040admins
# group: domain\040admins
user::rwx
user:guest:rwx
user:enterprise\040admins:rwx
user:denied\040rodc\040password\040replication\040group:r-x
user:usb\040denied:r-x
group::rwx
group:guest:rwx
group:domain\040admins:rwx
group:enterprise\040admins:rwx
group:denied\040rodc\040password\040replication\040group:r-x
group:usb\040denied:r-x
mask::rwx
other::---
default:user::rwx
default:user:guest:rwx
default:user:domain\040admins:rwx
default:user:enterprise\040admins:rwx
default:user:denied\040rodc\040password\040replication\040group:r-x
default:user:usb\040denied:r-x
default:group::---
default:group:guest:rwx
default:group:domain\040admins:rwx
default:group:enterprise\040admins:rwx
default:group:denied\040rodc\040password\040replication\040group:r-x
default:group:usb\040denied:r-x
default:mask::rwx
default:other::---
In this case the gid 3000002 is mapped to the "Guest" group on dc2 and
30000010 to "denied rodc password replication group".
As an normal user i can not access sysvol on dc2 because the mapping
/var/lib/samba/sysvol/domain.local is messed up (no Authenticated Users
ACL).
root at dc2:~# getfacl /var/lib/samba/sysvol
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:guest:rwx
group:domain\040guests:r-x
group:BUILTIN\134server\040operators:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:guest:rwx
default:group:domain\040guests:r-x
default:group:BUILTIN\134server\040operators:r-x
default:mask::rwx
default:other::---
achim~
More information about the samba
mailing list