[Samba] "missing security tab" and related ACL issues
Rowland Penny
rpenny at samba.org
Fri Sep 7 14:20:16 UTC 2018
On Fri, 7 Sep 2018 15:36:15 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> Am 07.09.18 um 15:25 schrieb Rowland Penny via samba:
>
> > From what you have posted it doesn't, but when you do get then
> > working, you need to understand that EA's and ACL's can work
> > together or independently.
> > If 'acl_xattr:ignore system acls = yes' is set, they work
> > independently, if it isn't, they work together, see 'man
> > vfs_acl_xattr' for more info.
>
> Ok, I will try to remember, so far I have other non-samba issues, see
> below.
>
> >> ?? no "domänen-admins" in here
>
> > We need to find if the group has actually disappeared.
> >
> > Run this on a DC:
> >
> > ldbsearch -H ldap://dc3 '(samaccountname=Domain Admins)'
> > -UAdministrator
> >
> > Replace 'dc3' with the DC's name.
> >
> > It should display the Domain Admins object
>
> The DC there is a windows server ...
>
> I think: no ->
>
> # ldbsearch -H ldap://dc1 '(samaccountname=Domain Admins)'
> -UAdministrator
>
> [..]
>
> # returned 3 records
> # 0 entries
> # 3 referrals
>
I wonder if someone (for whatever reason) has renamed Domain Admins ?
Create a script 'get_admins.sh'
Containing this:
#!/bin/bash
DC=$1
PASS=$2
DOM=$3
DOMSID=$(ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC" \
"(&(objectclass=domain)(name=$DOM))" objectSid | grep objectSid | \
awk '{print $NF}')
ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC" \
"(objectSid=${DOMSID}-512)"
exit 0
Run it like this:
bash ./get_admins.sh DC PASSWORD WORKGROUP
Replace:
DC with your DC's hostname
PASSWORD with your Administrator password
WORKGROUP with your lowercase workgroup name
If the SID-512 exists, it will display the object for that objectSid.
Rowland
More information about the samba
mailing list