[Samba] Set/Restrict Owner Rights for OU-Admin

Gunnar Bandelow gunnar.bandelow at uni-greifswald.de
Mon Aug 24 10:00:07 UTC 2020 

Hello everyone,

we are in the process of changing from a Windows Domain to a Samba 
Domain and
tried to implement some restrictions for OU-Admins. In the Windows 
Domain those restrictions
can be implemented with Security ID: S-1-3-4 (Owner Rights).

In our old Windows Domain everything works fine and as expected.

In our Samba Domain, it doesnt work. We tried to implement the same
rights as in our old domain from gui and command line.


Samba Version 4.12.6

Here a small bash script to setup an example via command line:

=============

#!/bin/bash

# variables used in the script
TestOU="TestSamba-OU-OWNER-RIGHTS"
TestUser="TestSamba-User-OR"
TestUserPWD="TestUserPW1!"
TestGroup="acl-ad_TestSamba-Group-OR_ou-rw"

Base_OU_DN="DC=ad,DC=something,DC=com"
Group_OWNER_RIGHTS="OWNER RIGHTS"
AD="AD\\"

Test_OU_DN="OU=${TestOU},${Base_OU_DN}"

# delete Test_OU_DN ( might be necessary to run script multiple times )
# samba-tool ou delete "$(Test_OU_DN)" --force-subtree-delete

# echo of all used variables
echo "Test-OU: ${TestOU}"
echo "Test-Group: ${TestGroup}"
echo "Test-User: ${TestUser}"
echo "Test-User_PWD: ${TestUserPWD}"
echo " "
echo "Base_OU-DN: ${Base_OU_DN}"
echo "Test-OU-DN: ${Test_OU_DN}"

# create TestOU
samba-tool ou create ${Test_OU_DN}

# create two  OUs within TestOU
samba-tool ou create "OU=Test1_with_Owner-Rights,${Test_OU_DN}"
samba-tool ou create "OU=Test2_without_Owner-Rights,${Test_OU_DN}"

# add group to TestOU
samba-tool group add ${TestGroup} --groupou OU=${TestOU} 
--description="Group for OWNER-RIGHTS test"

# add user to OU
samba-tool user add  ${TestUser} ${TestUserPWD} --userou OU=${TestOU}

# add TestUser to TestGroup
samba-tool group addmembers ${TestGroup} ${TestUser}

# set OWNER RIGHTS only for OU Test1_with_Owner-Rights
samba-tool dsacl set --objectdn 
"OU=Test1_with_Owner-Rights,${Test_OU_DN}" --sddl="(A;CI;RPLCRC;;;S-1-3-4)"

# get groupid and sid from TestGroup
# groupid=$(samba-tool group show ${TestGroup} --attributes=objectGUID | 
grep objectGUID | cut -d " " -f2 -)
sid=$(samba-tool group show ${TestGroup} --attributes=objectSid | grep 
objectSid | cut -d " " -f2 -)

# Organizational-Unit class with Schema-Id-Guid 
bf967aa5-0de6-11d0-a285-00aa003049e2
accessrights="(OA;CI;CCDC;bf967aa5-0de6-11d0-a285-00aa003049e2;bf967aa5-0de6-11d0-a285-00aa003049e2;$sid)"

# add Organizational Unit access rights to the two OUs
samba-tool dsacl set --objectdn 
"OU=Test1_with_Owner-Rights,${Test_OU_DN}" --sddl="${accessrights}"
samba-tool dsacl set --objectdn 
"OU=Test2_without_Owner-Rights,${Test_OU_DN}" --sddl="${accessrights}"

================

In the First OU the User should be restricted by OwnerRights ( 
"OU=Test1_with_Owner-Rights" ) and in the second OU 
("OU=Test2_without_Owner-Rights") he should not be restricted.

*The OwnerRights (set up as described above) are not working in our 
Samba Domain.
*

*Any suggestions are welcome.*

Kind regards,
Gunnar Bandelow

More information about the samba mailing list