[Samba] Howto replace a dsacl?
Kees van Vloten
keesvanvloten at gmail.com
Sat Feb 12 21:13:49 UTC 2022
Hi Team
If security filters are set on a GPO in Windows, it changes/replaces the
dsacl of the GPO's ldap entry, which is this DN:
CN={7CAD01FF-4AFE-4612-B691-BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com
I am trying to achieve the on a Samba DC server (samba 4.15.5)
I know (at least) 2 options to view the dsacl:
ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
'CN={7CAD01FF-4AFE-4612-B691-BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com'
'nTSecurityDescriptor'
or
samba-tool dsacl get
--objectdn='CN={7CAD01FF-4AFE-4612-B691-BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com'
On the other hand writing can be done with:
samba-tool dsacl set
But according to the help: "An ACE or group of ACEs to be added on the
object". I tried it and indeed it adds to the existing dsacl resulting
in an acl that fails due to order issues.
Since I reverse engineered what Windows does and I found a way to
recreate that, I want to replace the dsacl completely.
Samba-tool does not seem to offer such functionality.
Ldbmodify or ldbedit fail on changing the dsacl aka. 'nTSecurityDescriptor':
cat /tmp/7xu7ze18.ldif
dn:
CN={7CAD01FF-4AFE-4612-B691-BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com
nTSecurityDescriptor: O:DAG:DAD:PAR(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI
;RPWPCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;;RP
WPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCL
ORC;;;ED)(A;CI;RPLCRC;;;S-1-5-21-4190054395-3630394414-2036191173-1112)(A;C
I;RPLCRC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-4190
054395-3630394414-2036191173-1112)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b6
03-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30
e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
ldbmodify -H /var/lib/samba/private/sam.ldb /tmp/7xu7ze18.ldif
ndr_pull_relative_ptr1: ndr_pull_error(Buffer Size Error):
ndr_pull_relative_ptr1 rel_offset(1094990407) > ndr->data_size(578) at
../../librpc/ndr/ndr.c:1938
ERR: (Object class violation) "objectclass: Cannot add
CN={7CAD01FF-4AFE-4612-B691-BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com,
no objectclass specified!" on DN
CN={7CAD01FF-4AFE-4612-B691-BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com
at block before line 9
Modify failed after processing 0 records
How can I replace the 'nTSecurityDescriptor' on a GPO from Linux?
- Kees
More information about the samba
mailing list