[Samba] Security descriptors options of Group Policies
Olivier BILHAUT
obilhaut at fondation-misericorde.fr
Thu May 16 15:40:45 UTC 2024
Thanks Rowland for once again, an analysis that looks good.
To you,
is there a workaround at this stage ?
For others, let say someone that
had dev this part, any chance to see a change in the next version ?
I
can't unfortunatly propose a patch neither at the moment.
Any other
suggestion appreciated.
--
Olivier
Le 2024-05-16 12:41, Rowland
Penny via samba a écrit :
> On Thu, 16 May 2024 11:26:54 +0200
>
Olivier BILHAUT via samba <samba at lists.samba.org> wrote:
>
>> Hi Samba
List, hope you're doing well all.
>>
>> We have realized a security
>>
audit of our Samba4 Active Directory.
>>
>> It returns that the
security
>> descriptors options of all our GPO objects are wrong. They
should be :
>>
>>
>> SE_DACL_AUTO_INHERITED
>> SE_DACL_PRESENT
>>
>>
instead of this, the options
>> are by default :
>>
>>
SE_DACL_PROTECTED
>> SE_DACL_PRESENT
>>
>> We can change the
>>
options, but the "sysvolreset" command of samba-tool revert our
>>
changes at every run. (BTW we use sysvolreset because "sysvolcheck"
>>
returns errors after each GPO creation, without knowing why).
>>
>> So
there are
>> multiple questions in one :
>>
>> * Why are the security
descriptors
>> options not like the recommanded ones ?
>> * Is there a
way to change how
>> sysvolreset apply security descriptor options ?
>>
* And alternatively,
>> do you know why sysvolcheck returns errors after
each GPO creation
>> ?
>>
>
> I think those three questions are all
tied to the same thing, the
> default Samba Policy directory SDDL is set
to this:
>
>
O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1301bf;;;PA)
>
> Which if you break it down a bit (the relevant part comes before
the
> first '(' ):
>
> O;LAG:BAD:P
>
> O = Owner, 'LA' or
LOCAL_ADMIN
> G = Group, 'BA' or BUILTIN_ADMINISTRATORS
> D = DACL, 'P'
or SE_DACL_PROTECTED
>
> However, quite sometime ago I set up a Windows
2012R2 DC and found that
> the Policy folder had this SDDL:
>
>
O:BAG:SYD:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GXGR;;;AU)(A;;0x1200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;GA;;;BA)(A;;0x1e01bf;;;BA)(A;OICIIO;GXGR;;;SO)(A;;0x1200a9;;;SO)(A;;0x1201bf;;;PA)(A;OICIIO;GXGWGR;;;PA)
>
> Quite a bit different. Ignoring the ACEs, the start is this:
>
>
O:BAG:SYD:PAI
>
> BA, BUILTIN_ADMINISTRATORS
> SY, LOCAL_SYSTEM
> PAI,
SE_DACL_PROTECTED SE_DACL_AUTO_INHERITED
>
> It was about this time
that I was told my python wasn't good enough, so
> I gave up trying to
patch things
>
> To put it bluntly, in my opinion, Samba uses the wrong
permissions on
> SYSVOL.
>
> Rowland
More information about the samba
mailing list