[Samba] windows acls

Peter Carlson peter at howudodat.com
Tue Dec 13 20:57:30 UTC 2022


On 12/13/22 11:27, Rowland Penny via samba wrote:
>
>
> On 13/12/2022 19:00, Peter Carlson via samba wrote:
>>
>> On 12/13/22 10:45, Rowland Penny via samba wrote:
>>> Is 'S-1-5-21-185628584-2620904409-2800336372' the domain SID ?
>>> Who or what is the RID 1105 ?
>>
>> Not sure, how Can I determine that?
>
> wbinfo --sid-to-name=S-1-5-21-185628584-2620904409-2800336372-1105

No idea what that old SID is, it's not this domain

root at filesvr:~# wbinfo 
--sid-to-name=S-1-5-21-185628584-2620904409-2800336372-1105
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-21-185628584-2620904409-2800336372-1105

root at filesvr:~# wbinfo -n peter
S-1-5-21-352062930-1555017353-2732629723-1110 SID_USER (1)

>
>>
>>
>>>
>>>>
>>>> 2) If inheritance is disabled, why do the folders in the share show 
>>>> inherited from P:\ ?
>
>
>> root at filesvr:~# samba-tool ntacl get /data/FacilityPictures/ --as-sddl
>> O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001f01ff;;;S-1-22-2-0)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD)(A;OICI;0x001f01ff;;;DU) 
>>
>
> If you break that down, you get this:
>
> O:S-1-22-1-0 # owner 'root
> G:S-1-22-2-0 # group 'root'
>
> D:PAI
> 'P' = The SE_DACL_PROTECTED flag is set.
> 'AI' = The SE_DACL_AUTO_INHERITED flag is set.
>
> (A;;0x001f01ff;;;S-1-22-1-0)
> (A;;0x001f01ff;;;S-1-22-2-0)
> (A;;0x001f01ff;;;WD)
> (A;OICIIO;0x001f01ff;;;CO)
> (A;OICIIO;0x001200a9;;;CG)
> (A;OICIIO;0x001200a9;;;WD)
> (A;OICI;0x001f01ff;;;DU)
>
> 'A' = allow
> '0x001f01ff' full control
> 'OI' = OBJECT_INHERIT_ACE
> 'CI' = CONTAINER_INHERIT_ACE
> 'IO' = INHERIT_ONLY_ACE
>
> 'WD' = Everyone
> 'CO' = Creator owner
> 'CG' = Creator group
> 'DU' = Domain Users
>
> I hope this helps you understand.
>
> Rowland
>
>
I thought I read somewhere that you want Inheritance disabled at the 
share, but it's ok for the contents.  Now I can't find that.  Is that 
true? if so, how can I disable inheritance at the share?


More information about the samba mailing list