[Samba] "missing security tab" and related ACL issues

Stefan G. Weichinger lists at xunil.at
Fri Sep 7 17:09:37 UTC 2018


Am 07.09.18 um 16:20 schrieb Rowland Penny via samba:
> On Fri, 7 Sep 2018 15:36:15 +0200
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> 
>> Am 07.09.18 um 15:25 schrieb Rowland Penny via samba:
>>
>>>   From what you have posted it doesn't, but when you do get then
>>> working, you need to understand that EA's and ACL's can work
>>> together or independently.
>>> If 'acl_xattr:ignore system acls = yes' is set, they work
>>> independently, if it isn't, they work together, see 'man
>>> vfs_acl_xattr' for more info.
>>
>> Ok, I will try to remember, so far I have other non-samba issues, see
>> below.
>>
>>>> ?? no "domänen-admins" in here
>>
>>> We need to find if the group has actually disappeared.
>>>
>>> Run this on a DC:
>>>
>>> ldbsearch -H ldap://dc3 '(samaccountname=Domain Admins)'
>>> -UAdministrator
>>>
>>> Replace 'dc3' with the DC's name.
>>>
>>> It should display the Domain Admins object
>>
>> The DC there is a windows server ...
>>
>> I think: no ->
>>
>> # ldbsearch -H ldap://dc1 '(samaccountname=Domain Admins)'
>> -UAdministrator
>>
>> [..]
>>
>> # returned 3 records
>> # 0 entries
>> # 3 referrals
>>
> 
> I wonder if someone (for whatever reason) has renamed Domain Admins ?
> 
> Create a script 'get_admins.sh'
> 
> Containing this:
> 
> #!/bin/bash
> 
> DC=$1
> PASS=$2
> DOM=$3
> 
> DOMSID=$(ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC" \
>           "(&(objectclass=domain)(name=$DOM))" objectSid | grep objectSid | \
>           awk '{print $NF}')
> 
> ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC" \
> "(objectSid=${DOMSID}-512)"
> 
> exit 0
> 
> Run it like this:
> 
> bash ./get_admins.sh DC PASSWORD WORKGROUP
> 
> Replace:
> DC with your DC's hostname
> 
> PASSWORD with your Administrator password
> 
> WORKGROUP with your lowercase workgroup name
> 
> If the SID-512 exists, it will display the object for that objectSid.

yep, thanks.

I get


# record 1
dn: CN=Domänen-Admins,CN=Users,DC=mydomain,DC=intra
objectClass: top
objectClass: group
cn:: RG9tw6RuZW4tQWRtaW5z
description:: QWRtaW5pc3RyYXRvcmVuIGRlciBEb23DpG5l
member: CN=MI,CN=Users,DC=mydomain,DC=intra
member: CN=Administrator,CN=Users,DC=mydomain,DC=intra
distinguishedName:: 
Q049RG9tw6RuZW4tQWRtaW5zLENOPVVzZXJzLERDPW5vcmFzLERDPWludH
  Jh
instanceType: 4
whenCreated: 20130218123437.0Z
whenChanged: 20180507150906.0Z
uSNCreated: 12345
memberOf: CN=Abgelehnte 
RODC-Kennwortreplikationsgruppe,CN=Users,DC=mydomain,DC=i
  ntra
memberOf: CN=Administratoren,CN=Builtin,DC=mydomain,DC=intra
uSNChanged: 55909177
name:: RG9tw6RuZW4tQWRtaW5z
objectGUID: 7e533ce7-d6e6-47c4-baf2-0730b2e6f580
objectSid: S-1-5-21-2034248556-467506829-2175355384-512
adminCount: 1
sAMAccountName:: RG9tw6RuZW4tQWRtaW5z
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=intra
isCriticalSystemObject: TRUE
dSCorePropagationData: 20171116130219.0Z
dSCorePropagationData: 20130516110155.0Z
dSCorePropagationData: 20130516103841.0Z
dSCorePropagationData: 20130218133156.0Z
dSCorePropagationData: 16010101000000.0Z

But

# net rpc rights grant "Domänen-Admins" SeDiskOperatorPrivilege -U 
"mydomain\administrator"

fails

also for "mydomain\Domänen-Admins"



More information about the samba mailing list