[Samba] "missing security tab" and related ACL issues

[Rowland Penny]

On Fri, 7 Sep 2018 15:36:15 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 07.09.18 um 15:25 schrieb Rowland Penny via samba:
> 
> >  From what you have posted it doesn't, but when you do get then
> > working, you need to understand that EA's and ACL's can work
> > together or independently.
> > If 'acl_xattr:ignore system acls = yes' is set, they work
> > independently, if it isn't, they work together, see 'man
> > vfs_acl_xattr' for more info.
> 
> Ok, I will try to remember, so far I have other non-samba issues, see
> below.
> 
> >> ?? no "domänen-admins" in here
> 
> > We need to find if the group has actually disappeared.
> > 
> > Run this on a DC:
> > 
> > ldbsearch -H ldap://dc3 '(samaccountname=Domain Admins)'
> > -UAdministrator
> > 
> > Replace 'dc3' with the DC's name.
> > 
> > It should display the Domain Admins object
> 
> The DC there is a windows server ...
> 
> I think: no ->
> 
> # ldbsearch -H ldap://dc1 '(samaccountname=Domain Admins)'
> -UAdministrator
> 
> [..]
> 
> # returned 3 records
> # 0 entries
> # 3 referrals
> 

I wonder if someone (for whatever reason) has renamed Domain Admins ?

Create a script 'get_admins.sh'

Containing this:

#!/bin/bash

DC=$1
PASS=$2
DOM=$3

DOMSID=$(ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC" \
         "(&(objectclass=domain)(name=$DOM))" objectSid | grep objectSid | \
         awk '{print $NF}')

ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC" \
"(objectSid=${DOMSID}-512)"

exit 0

Run it like this: 

bash ./get_admins.sh DC PASSWORD WORKGROUP

Replace:
DC with your DC's hostname

PASSWORD with your Administrator password

WORKGROUP with your lowercase workgroup name

If the SID-512 exists, it will display the object for that objectSid.

Rowland