[Samba] samba-tool dsacl woes

samba-ml-en samba-ml-en at protonmail.com
Thu May 26 21:35:04 UTC 2022


Hello all,

I have tried "samba-tools dsacl get/set" operations to modify permissions on OUs and groups, frankly I could find a proper way to implement what I wanted correctly. I searched around for examples on using this tool, but I must admit I could not find much.

So here it is:

smbd -V

Version 4.15.5-Ubuntu

samba-tool -V

4.15.5-Ubuntu

-

Simple ACL edit (like a copy/paste)

So here is our starting point a standard ACL on an OU.

I get the sddl for this (output is shown with a newline between ACEs for clarity):

samba-tool dsacl get --objectdn="OU=AMS,OU=Org,DC=ad2,DC=xxx,DC=eu"

(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)

(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)

(A;;RPLCLORC;;;AU)

(A;;RPLCLORC;;;ED)

(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)

(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)

(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)

(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)

(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)

(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)

(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)

(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)

(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)

(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)

(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)

(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)

(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)

(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)

(OA;CIIOID;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)

(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)

(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)

(A;CIID;LC;;;RU)

(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)

S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)

(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)

We remove all ACEs that contain the flag ID (inherited from parent object/OU) (note leaving them does not change anything to the result)

Giving us a new sddl that we send back to our AD:

samba-tool dsacl set --objectdn="OU=AMS,OU=Org,DC=ad2,DC=xxx,DC=eu" --sddl="(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPLCLORC;;;AU)(A;;RPLCLORC;;;ED)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)"

Now we look again at the result:

We can conclude that samba-tool is not rewriting exactly what it read (the SYSTEM entry is now at the bottom of the list).

-

Example with modified ACL.

In this example we add manually 2 ACEs into our ACL (this is for delegating rights to a group)

Two ACEs are added right above inherited ones (Adm1AOA)

Again we read the sddl with samba-tool, reset the ACL in windows and write it back.

(A;;RPLCLORC;;;ED)

(A;;RPLCLORC;;;AU)

(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)

(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)

(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)

(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)

(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)

(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)

(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)

(OA;CIIO;RPWP;deaea1df-2135-41c0-bb7d-4397e6434676;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-1702593726-1423805133-3429439403-1105)

(OA;CIIO;RPCR;318e36f2-a510-4502-b41c-be3984b39c71;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-1702593726-1423805133-3429439403-1105)

samba-tool dsacl set --objectdn="OU=AMS,OU=Org,DC=ad2,DC=xxx,DC=eu" --sddl="(A;;RPLCLORC;;;ED)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;CIIO;RPWP;deaea1df-2135-41c0-bb7d-4397e6434676;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-1702593726-1423805133-3429439403-1105)(OA;CIIO;RPCR;318e36f2-a510-4502-b41c-be3984b39c71;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-1702593726-1423805133-3429439403-1105)"

And we get the following result:

Again we see the ACEs order is odd my added groups at the top and the SYSTEM at the bottom. Now really I think the tool has a very odd way of thinking.

-

Let's make it more like a production example.

In this example we protect the OU against deletion (object tab) this one adds one deny ACE at the top of the ACL with deny everyone delete and delete subtree, same procedure, we add our two tests ACEs, read the sddl, and rewrite it

samba-tool dsacl set --objectdn="OU=AMS,OU=Org,DC=ad2,DC=xxx,DC=eu" --sddl="(D;;SDDT;;;WD)(A;;RPLCLORC;;;ED)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;CIIO;RPWP;deaea1df-2135-41c0-bb7d-4397e6434676;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-1702593726-1423805133-3429439403-1105)(OA;CIIO;RPCR;318e36f2-a510-4502-b41c-be3984b39c71;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-1702593726-1423805133-3429439403-1105)"

Here hell breaks loose when we try to inspect the result we get:

now we cancel and look at what samba-tool wrote

Indeed we can call this a corrupted ACL.

Conclusion, either I am not using the tool correctly, in which case obviously someones will point me to the right direction, or the samba-tool has a big problem with writing DACLs.

Thanks for you inputs,

Eric


More information about the samba mailing list