[Samba] Adding Share Windows ACL
Rowland Penny
rpenny at samba.org
Fri Jan 26 10:22:52 UTC 2018
On Fri, 26 Jan 2018 10:50:48 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> I dont agree..
> > Yes, Domain Admins needs to be a Unix group.
> I agree on this one.
>
> > No, because if Domain Admins is a Unix group, it cannot own GPOs in
> > sysvol and Domain Admins needs to own GPOs as a user. On a Samba DC,
> > Domain Admins is mapped to 'ID_TYPE_BOTH' and can own GPOs as a
> > user.
> Not totaly.. Imo.
This is a sddl of a GPO in sysvol:
O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-4157658249-429813502-519)
The important part is at the start:
O:DAG:DAD:
O = owner
G = group
DA = Domain Admins
The only way this can occur on a Unix DC is if Domain Admins doesn't
have a gidNumber attribute.
> Only one BEWARE !!
> If you change to ignore systemacls, you MUST RE-APPPLY ALL SHARE AND
> SECURITY SETTINGS AGAIN! And for sysvol, set it and forget it, dont
> run samba-tool sysvolreset !
>
Yes, do not run sysvolreset, but not because of this problem, it is
because the underlying 'C' code doesn't set the ACLs correctly, see:
https://bugzilla.samba.org/show_bug.cgi?id=12924
Rowland
More information about the samba
mailing list