[Samba] Error with "samba-tool ntacl get --as-sddl"
Miguel Medalha
medalist at sapo.pt
Wed May 18 18:59:10 UTC 2016
> Hi, this is because when you use '--as-sddl', the python code does this:
>
> if as_sddl:
> try:
> domain_sid = security.dom_sid(samdb.domain_sid)
> except:
> raise CommandError("Unable to read domain SID from
> configuration files")
> self.outf.write(acl.as_sddl(domain_sid)+"\n")
>
> Or to put it in English, it tries to get the Domain SID from sam.ldb
> and this doesn't exist on a member server.
>
And yet the member server "knows" what the Domain SID is (as shown by
"net getdomainsid"). Isn't a file server exactly the place where setting
ACEs using the sddl format would be the most useful? Can this limitation
be removed or was it "by design"?
It seems to me that with acl_xattr offering complete Windows ACLs the
situation is now mature enough and demands a proper tool for setting
Windows ACLs from a *nix command line. This would greatly facilitate the
life of those who maintain remote servers through ssh. A tool similar to
icacls or SetACL in the Windows world.
More information about the samba
mailing list