[Samba] Security descriptors options of Group Policies
Olivier BILHAUT
obilhaut at fondation-misericorde.fr
Thu May 16 09:26:54 UTC 2024
Hi Samba List, hope you're doing well all.
We have realized a security
audit of our Samba4 Active Directory.
It returns that the security
descriptors options of all our GPO objects are wrong. They should be :
SE_DACL_AUTO_INHERITED
SE_DACL_PRESENT
instead of this, the options
are by default :
SE_DACL_PROTECTED
SE_DACL_PRESENT
We can change the
options, but the "sysvolreset" command of samba-tool revert our changes
at every run. (BTW we use sysvolreset because "sysvolcheck" returns
errors after each GPO creation, without knowing why).
So there are
multiple questions in one :
* Why are the security descriptors
options not like the recommanded ones ?
* Is there a way to change how
sysvolreset apply security descriptor options ?
* And alternatively,
do you know why sysvolcheck returns errors after each GPO creation
?
Many thanks to all.
--
Olivier
More information about the samba
mailing list