[Samba] limit access to personal information
Christian
chanlists at googlemail.com
Sat Jun 4 06:13:29 UTC 2022
Dear all,
I am trying to limit the access to personal information in our AD (we
run Debian bullseye on our DCs with Louis's 4.15 packages, in case that
matters).
The first obstacle seems to be that there is an explicit ACL on every
user allowing read access to personal information for every
authenticated user.
My understanding is that this ACL comes from the default acl on user
objects. I have found that default entry in the schema management MMC
snap-in but am unable to remove it even as a domain admin. The error
message is
"Unable to save permission changes on User. The server is unwilling to
process the request."
Is there some other way I should be doing this?
For existing users, I would have to remove the explicit allow ACL. Is
there a good way to do this programmatically, preferably on Linux? I
have looked at samba-tool dsacl set, but there is very little
documentation out there...
The rest of the question is not strictly samba-related, but I assume I
will have to create a group that contains all users that should not be
granted access to personal information (most users for us, in fact) and
place a deny ACL on an OU somewhere up in the tree where it can affect
all users...
It seems somewhat complicated though. I would much rather work with an
explicit allow to grant specific users access. My understanding is that
this is not possible because the personal information does not have the
"confidential" bit set??? And changing that would involve fooling around
with the schema again???
The other option, as I understand, would be to introduce custom fields
through a schema modification to store the personal information, but
that would have the disadvantage that the non-standard fields would not
be known to third-party tools.
Thanks for any insights. There is surprisingly little information on
this out there.... Best wishes,
Chrisitian
PS: Links I found most useful:
https://www.oreilly.com/library/view/active-directory-cookbook/0596004648/ch14s12.html
https://social.technet.microsoft.com/Forums/en-US/53523e07-d7dd-4a50-8511-7cffe3717470/hide-specific-user-attributes-to-users-?forum=winserverDS
More information about the samba
mailing list