[Samba] Set/Restrict Owner Rights for OU-Admin
Gunnar Bandelow
gunnar.bandelow at uni-greifswald.de
Mon Aug 24 10:00:07 UTC 2020
Hello everyone,
we are in the process of changing from a Windows Domain to a Samba
Domain and
tried to implement some restrictions for OU-Admins. In the Windows
Domain those restrictions
can be implemented with Security ID: S-1-3-4 (Owner Rights).
In our old Windows Domain everything works fine and as expected.
In our Samba Domain, it doesnt work. We tried to implement the same
rights as in our old domain from gui and command line.
Samba Version 4.12.6
Here a small bash script to setup an example via command line:
=============
#!/bin/bash
# variables used in the script
TestOU="TestSamba-OU-OWNER-RIGHTS"
TestUser="TestSamba-User-OR"
TestUserPWD="TestUserPW1!"
TestGroup="acl-ad_TestSamba-Group-OR_ou-rw"
Base_OU_DN="DC=ad,DC=something,DC=com"
Group_OWNER_RIGHTS="OWNER RIGHTS"
AD="AD\\"
Test_OU_DN="OU=${TestOU},${Base_OU_DN}"
# delete Test_OU_DN ( might be necessary to run script multiple times )
# samba-tool ou delete "$(Test_OU_DN)" --force-subtree-delete
# echo of all used variables
echo "Test-OU: ${TestOU}"
echo "Test-Group: ${TestGroup}"
echo "Test-User: ${TestUser}"
echo "Test-User_PWD: ${TestUserPWD}"
echo " "
echo "Base_OU-DN: ${Base_OU_DN}"
echo "Test-OU-DN: ${Test_OU_DN}"
# create TestOU
samba-tool ou create ${Test_OU_DN}
# create two OUs within TestOU
samba-tool ou create "OU=Test1_with_Owner-Rights,${Test_OU_DN}"
samba-tool ou create "OU=Test2_without_Owner-Rights,${Test_OU_DN}"
# add group to TestOU
samba-tool group add ${TestGroup} --groupou OU=${TestOU}
--description="Group for OWNER-RIGHTS test"
# add user to OU
samba-tool user add ${TestUser} ${TestUserPWD} --userou OU=${TestOU}
# add TestUser to TestGroup
samba-tool group addmembers ${TestGroup} ${TestUser}
# set OWNER RIGHTS only for OU Test1_with_Owner-Rights
samba-tool dsacl set --objectdn
"OU=Test1_with_Owner-Rights,${Test_OU_DN}" --sddl="(A;CI;RPLCRC;;;S-1-3-4)"
# get groupid and sid from TestGroup
# groupid=$(samba-tool group show ${TestGroup} --attributes=objectGUID |
grep objectGUID | cut -d " " -f2 -)
sid=$(samba-tool group show ${TestGroup} --attributes=objectSid | grep
objectSid | cut -d " " -f2 -)
# Organizational-Unit class with Schema-Id-Guid
bf967aa5-0de6-11d0-a285-00aa003049e2
accessrights="(OA;CI;CCDC;bf967aa5-0de6-11d0-a285-00aa003049e2;bf967aa5-0de6-11d0-a285-00aa003049e2;$sid)"
# add Organizational Unit access rights to the two OUs
samba-tool dsacl set --objectdn
"OU=Test1_with_Owner-Rights,${Test_OU_DN}" --sddl="${accessrights}"
samba-tool dsacl set --objectdn
"OU=Test2_without_Owner-Rights,${Test_OU_DN}" --sddl="${accessrights}"
================
In the First OU the User should be restricted by OwnerRights (
"OU=Test1_with_Owner-Rights" ) and in the second OU
("OU=Test2_without_Owner-Rights") he should not be restricted.
*The OwnerRights (set up as described above) are not working in our
Samba Domain.
*
*Any suggestions are welcome.*
Kind regards,
Gunnar Bandelow
More information about the samba
mailing list