[Samba] Howto replace a dsacl?

Kees van Vloten keesvanvloten at gmail.com
Sat Feb 12 21:13:49 UTC 2022


Hi Team

If security filters are set on a GPO in Windows, it changes/replaces the 
dsacl of the GPO's ldap entry, which is this DN:

CN={7CAD01FF-4AFE-4612-B691-BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com


I am trying to achieve the on a Samba DC server (samba 4.15.5)

I know (at least) 2 options to view the dsacl:

ldbsearch  -H /var/lib/samba/private/sam.ldb -s base -b 
'CN={7CAD01FF-4AFE-4612-B691-BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com' 
'nTSecurityDescriptor'

or

samba-tool dsacl get 
--objectdn='CN={7CAD01FF-4AFE-4612-B691-BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com'

On the other hand writing can be done with:

samba-tool dsacl set

But according to the help: "An ACE or group of ACEs to be added on the 
object". I tried it and indeed it adds to the existing dsacl resulting 
in an acl that fails due to order issues.

Since I reverse engineered what Windows does and I found a way to 
recreate that, I want to replace the dsacl completely.

Samba-tool does not seem to offer such functionality.
Ldbmodify or ldbedit fail on changing the dsacl aka. 'nTSecurityDescriptor':

cat /tmp/7xu7ze18.ldif
dn: 
CN={7CAD01FF-4AFE-4612-B691-BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com
nTSecurityDescriptor: O:DAG:DAD:PAR(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI
  ;RPWPCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;;RP
  WPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCL
  ORC;;;ED)(A;CI;RPLCRC;;;S-1-5-21-4190054395-3630394414-2036191173-1112)(A;C
  I;RPLCRC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-4190
  054395-3630394414-2036191173-1112)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b6
  03-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30
  e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)

ldbmodify -H /var/lib/samba/private/sam.ldb /tmp/7xu7ze18.ldif
ndr_pull_relative_ptr1: ndr_pull_error(Buffer Size Error): 
ndr_pull_relative_ptr1 rel_offset(1094990407) > ndr->data_size(578) at 
../../librpc/ndr/ndr.c:1938
ERR: (Object class violation) "objectclass: Cannot add 
CN={7CAD01FF-4AFE-4612-B691-BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com, 
no objectclass specified!" on DN 
CN={7CAD01FF-4AFE-4612-B691-BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com 
at block before line 9
Modify failed after processing 0 records

How can I replace the 'nTSecurityDescriptor' on a GPO from Linux?

- Kees




More information about the samba mailing list