[Samba] Howto replace a dsacl?

Rowland Penny rpenny at samba.org
Sat Feb 12 22:11:23 UTC 2022 

On Sat, 2022-02-12 at 22:13 +0100, Kees van Vloten via samba wrote:
> Hi Team
> 
> If security filters are set on a GPO in Windows, it changes/replaces
> the 
> dsacl of the GPO's ldap entry, which is this DN:
> 
> CN={7CAD01FF-4AFE-4612-B691-
> BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com
> 
> 
> I am trying to achieve the on a Samba DC server (samba 4.15.5)
> 
> I know (at least) 2 options to view the dsacl:
> 
> ldbsearch  -H /var/lib/samba/private/sam.ldb -s base -b 
> 'CN={7CAD01FF-4AFE-4612-B691-
> BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com' 
> 'nTSecurityDescriptor'
> 
> or
> 
> samba-tool dsacl get 
> --objectdn='CN={7CAD01FF-4AFE-4612-B691-
> BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com'
> 
> On the other hand writing can be done with:
> 
> samba-tool dsacl set
> 
> But according to the help: "An ACE or group of ACEs to be added on
> the 
> object". I tried it and indeed it adds to the existing dsacl
> resulting 
> in an acl that fails due to order issues.
> 
> Since I reverse engineered what Windows does and I found a way to 
> recreate that, I want to replace the dsacl completely.
> 
> Samba-tool does not seem to offer such functionality.
> Ldbmodify or ldbedit fail on changing the dsacl aka.
> 'nTSecurityDescriptor':
> 
> cat /tmp/7xu7ze18.ldif
> dn: 
> CN={7CAD01FF-4AFE-4612-B691-
> BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com
> nTSecurityDescriptor:
> O:DAG:DAD:PAR(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI
>   ;RPWPCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;C
> O)(A;;RP
>   WPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;
> CI;RPLCL
>   ORC;;;ED)(A;CI;RPLCRC;;;S-1-5-21-4190054395-3630394414-2036191173-
> 1112)(A;C
>   I;RPLCRC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-
> 5-21-4190
>   054395-3630394414-2036191173-1112)S:AI(OU;CIIOIDSA;WP;f30e3bbe-
> 9ff0-11d1-b6
>   03-0000f80367c1;bf967aa5-0de6-11d0-a285-
> 00aa003049e2;WD)(OU;CIIOIDSA;WP;f30
>   e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-
> 00aa003049e2;WD)
> 
> ldbmodify -H /var/lib/samba/private/sam.ldb /tmp/7xu7ze18.ldif
> ndr_pull_relative_ptr1: ndr_pull_error(Buffer Size Error): 
> ndr_pull_relative_ptr1 rel_offset(1094990407) > ndr->data_size(578)
> at 
> ../../librpc/ndr/ndr.c:1938
> ERR: (Object class violation) "objectclass: Cannot add 
> CN={7CAD01FF-4AFE-4612-B691-
> BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com, 
> no objectclass specified!" on DN 
> CN={7CAD01FF-4AFE-4612-B691-
> BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com 
> at block before line 9
> Modify failed after processing 0 records
> 
> How can I replace the 'nTSecurityDescriptor' on a GPO from Linux?
> 
> - Kees

The error message tells you part of the problem, you are not supplying
an objectclass, but this will not really help because while you are
using ldbmodify, you are not using the correct ldif, it should look
like this:

dn: CN={7CAD01FF-4AFE-4612-B691-
BF18141A4DBF},CN=Policies,CN=System,DC=example,DC=com
changetype: modify
replace: nTSecurityDescriptor
nTSecurityDescriptor:
O:DAG:DAD:PAR(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI
 
;RPWPCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A
;;RP
 
WPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;R
PLCL
  ORC;;;ED)(A;CI;RPLCRC;;;S-1-5-21-4190054395-3630394414-2036191173-
1112)(A;C
  I;RPLCRC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-
21-4190
  054395-3630394414-2036191173-1112)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-
11d1-b6
  03-0000f80367c1;bf967aa5-0de6-11d0-a285-
00aa003049e2;WD)(OU;CIIOIDSA;WP;f30
  e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-
00aa003049e2;WD)

Rowland

More information about the samba mailing list