[Samba] "missing security tab" and related ACL issues

Rowland Penny rpenny at samba.org
Fri Sep 7 18:07:44 UTC 2018


On Fri, 7 Sep 2018 19:09:37 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 07.09.18 um 16:20 schrieb Rowland Penny via samba:
> > On Fri, 7 Sep 2018 15:36:15 +0200
> > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> > 
> >> Am 07.09.18 um 15:25 schrieb Rowland Penny via samba:
> >>
> >>>   From what you have posted it doesn't, but when you do get then
> >>> working, you need to understand that EA's and ACL's can work
> >>> together or independently.
> >>> If 'acl_xattr:ignore system acls = yes' is set, they work
> >>> independently, if it isn't, they work together, see 'man
> >>> vfs_acl_xattr' for more info.
> >>
> >> Ok, I will try to remember, so far I have other non-samba issues,
> >> see below.
> >>
> >>>> ?? no "domänen-admins" in here
> >>
> >>> We need to find if the group has actually disappeared.
> >>>
> >>> Run this on a DC:
> >>>
> >>> ldbsearch -H ldap://dc3 '(samaccountname=Domain Admins)'
> >>> -UAdministrator
> >>>
> >>> Replace 'dc3' with the DC's name.
> >>>
> >>> It should display the Domain Admins object
> >>
> >> The DC there is a windows server ...
> >>
> >> I think: no ->
> >>
> >> # ldbsearch -H ldap://dc1 '(samaccountname=Domain Admins)'
> >> -UAdministrator
> >>
> >> [..]
> >>
> >> # returned 3 records
> >> # 0 entries
> >> # 3 referrals
> >>
> > 
> > I wonder if someone (for whatever reason) has renamed Domain
> > Admins ?
> > 
> > Create a script 'get_admins.sh'
> > 
> > Containing this:
> > 
> > #!/bin/bash
> > 
> > DC=$1
> > PASS=$2
> > DOM=$3
> > 
> > DOMSID=$(ldbsearch -U Administrator --password="$PASS" -H
> > ldap://"$DC" \ "(&(objectclass=domain)(name=$DOM))" objectSid |
> > grep objectSid | \ awk '{print $NF}')
> > 
> > ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC" \
> > "(objectSid=${DOMSID}-512)"
> > 
> > exit 0
> > 
> > Run it like this:
> > 
> > bash ./get_admins.sh DC PASSWORD WORKGROUP
> > 
> > Replace:
> > DC with your DC's hostname
> > 
> > PASSWORD with your Administrator password
> > 
> > WORKGROUP with your lowercase workgroup name
> > 
> > If the SID-512 exists, it will display the object for that
> > objectSid.
> 
> yep, thanks.
> 
> I get
> 
> 
> # record 1
> dn: CN=Domänen-Admins,CN=Users,DC=mydomain,DC=intra
> objectClass: top
> objectClass: group
> cn:: RG9tw6RuZW4tQWRtaW5z
> description:: QWRtaW5pc3RyYXRvcmVuIGRlciBEb23DpG5l
> member: CN=MI,CN=Users,DC=mydomain,DC=intra
> member: CN=Administrator,CN=Users,DC=mydomain,DC=intra
> distinguishedName:: 
> Q049RG9tw6RuZW4tQWRtaW5zLENOPVVzZXJzLERDPW5vcmFzLERDPWludH
>   Jh
> instanceType: 4
> whenCreated: 20130218123437.0Z
> whenChanged: 20180507150906.0Z
> uSNCreated: 12345
> memberOf: CN=Abgelehnte 
> RODC-Kennwortreplikationsgruppe,CN=Users,DC=mydomain,DC=i
>   ntra
> memberOf: CN=Administratoren,CN=Builtin,DC=mydomain,DC=intra
> uSNChanged: 55909177
> name:: RG9tw6RuZW4tQWRtaW5z
> objectGUID: 7e533ce7-d6e6-47c4-baf2-0730b2e6f580
> objectSid: S-1-5-21-2034248556-467506829-2175355384-512
> adminCount: 1
> sAMAccountName:: RG9tw6RuZW4tQWRtaW5z
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory:
> CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=intra
> isCriticalSystemObject: TRUE dSCorePropagationData: 20171116130219.0Z
> dSCorePropagationData: 20130516110155.0Z
> dSCorePropagationData: 20130516103841.0Z
> dSCorePropagationData: 20130218133156.0Z
> dSCorePropagationData: 16010101000000.0Z
> 
> But
> 
> # net rpc rights grant "Domänen-Admins" SeDiskOperatorPrivilege -U 
> "mydomain\administrator"
> 
> fails
> 
> also for "mydomain\Domänen-Admins"

Why is it 'Domanen-Admins' ? is the dash normal for the German version
of Windows ? 
At least it exists ;-)

Is the locale set correctly ?

Rowland


> 




More information about the samba mailing list