[Samba] Security descriptors options of Group Policies

Rowland Penny rpenny at samba.org
Thu May 16 10:41:51 UTC 2024 

On Thu, 16 May 2024 11:26:54 +0200
Olivier BILHAUT via samba <samba at lists.samba.org> wrote:

> Hi Samba List, hope you're doing well all.
> 
> We have realized a security
> audit of our Samba4 Active Directory. 
> 
> It returns that the security
> descriptors options of all our GPO objects are wrong. They should be :
> 
> 
> SE_DACL_AUTO_INHERITED
> SE_DACL_PRESENT
> 
> instead of this, the options
> are by default : 
> 
> SE_DACL_PROTECTED
> SE_DACL_PRESENT 
> 
> We can change the
> options, but the "sysvolreset" command of samba-tool revert our
> changes at every run. (BTW we use sysvolreset because "sysvolcheck"
> returns errors after each GPO creation, without knowing why). 
> 
> So there are
> multiple questions in one : 
> 
>  	* Why are the security descriptors
> options not like the recommanded ones ?
>  	* Is there a way to change how
> sysvolreset apply security descriptor options ?
>  	* And alternatively,
> do you know why sysvolcheck returns errors after each GPO creation
> ?
> 

I think those three questions are all tied to the same thing, the
default Samba Policy directory SDDL is set to this:

O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1301bf;;;PA)

Which if you break it down a bit (the relevant part comes before the
first '(' ):

O;LAG:BAD:P

O = Owner, 'LA' or LOCAL_ADMIN
G = Group, 'BA' or BUILTIN_ADMINISTRATORS
D = DACL, 'P' or SE_DACL_PROTECTED

However, quite sometime ago I set up a Windows 2012R2 DC and found that
the Policy folder had this SDDL:

O:BAG:SYD:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GXGR;;;AU)(A;;0x1200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;GA;;;BA)(A;;0x1e01bf;;;BA)(A;OICIIO;GXGR;;;SO)(A;;0x1200a9;;;SO)(A;;0x1201bf;;;PA)(A;OICIIO;GXGWGR;;;PA)

Quite a bit different. Ignoring the ACEs, the start is this:

O:BAG:SYD:PAI

BA, BUILTIN_ADMINISTRATORS
SY, LOCAL_SYSTEM
PAI, SE_DACL_PROTECTED SE_DACL_AUTO_INHERITED

It was about this time that I was told my python wasn't good enough, so
I gave up trying to patch things

To put it bluntly, in my opinion, Samba uses the wrong permissions on
SYSVOL.

Rowland

More information about the samba mailing list