[Samba] editing GPO as user X, when user X is used in gpo security filter

Kacper Wirski kacper.wirski at gmail.com
Tue May 14 19:53:22 UTC 2019


I'm using samba 4.9.x compiled from source on centos 7.6

Today I ran into an unknown behaviour before, which I'm not sure if it's 
a bug, a feature or.. just "is".

I realised, that I'm unable to edit particular GPOs, with "access 
denied"  error, when this criteria are met:

- I have user "john" that is a member of "domain admins"

- to any new or existing GPO I explicitly add user "john"  to "security 

- I'm editing GPO from workstation to which I'm logged in as user "john"

You can substitute "john" for any other username, i.e. it's not tied to 
particular account, as long as criteria as above are met.

Things like "wbinfo -i" and getfacl run on any of the GPO return 
expected values, all GPO are owned by "domain admins" (both user and group).

What happens is:

I can open GPO to edit, I can try to change something, but whenver I try 
to accept changes, there is "access denied" error. To make it clear: 
policy is processed by domain clients as it should, and settings are 
applied, error is ONLY when editing with the criteria as above. So 
"john" will get settings applied, even though he can't edit.

As soon, as I remove "john" from security filter OR log in as another 
domain admin, I can edit GPO without error. I'm 100% certain it's not 
user "john" fault, as I can as easily reproduce with another user, as 
long as:

- user that is logged in is member of "domain admins" and is editing GPO 
with himself added to GPO security filter

It's not a big issue, and easy to circumvent that's why I'm not even 
sure if it's a bug, or maybe a feature. I bumped into this by accident, 
as I wanted to test something using my domain admin account and not 
different test account and using trial and error pinpointed what caused 
gpo edit error.

I tested this using windows 10 and windows 2012 r2 clients with latest 

I asked around people using pure microsoft windows 2016 AD DC and they 
couldn't reproduce this behaviour.

What I'd like to know if it's something that is expected, or is there an 
error in my domain?



Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.

More information about the samba mailing list