[Samba] Error with "samba-tool ntacl get --as-sddl"
rpenny at samba.org
Wed May 18 19:28:09 UTC 2016
On 18/05/16 19:59, Miguel Medalha wrote:
>> Hi, this is because when you use '--as-sddl', the python code does this:
>> if as_sddl:
>> domain_sid = security.dom_sid(samdb.domain_sid)
>> raise CommandError("Unable to read domain SID from
>> configuration files")
>> Or to put it in English, it tries to get the Domain SID from sam.ldb
>> and this doesn't exist on a member server.
> And yet the member server "knows" what the Domain SID is (as shown by
> "net getdomainsid"). Isn't a file server exactly the place where
> setting ACEs using the sddl format would be the most useful? Can this
> limitation be removed or was it "by design"?
I think that when the command was written, it was expected to be only
run on a DC, don't forget 3.6 was still being produced then.
Can it be made to work on a domain member, probably yes, the command
just needs to be able to connect to a DC to get the domain SID, or
another way found to get the SID. If you understand python, you could
always provide a patch yourself.
> It seems to me that with acl_xattr offering complete Windows ACLs the
> situation is now mature enough and demands a proper tool for setting
> Windows ACLs from a *nix command line. This would greatly facilitate
> the life of those who maintain remote servers through ssh. A tool
> similar to icacls or SetACL in the Windows world.
More information about the samba