[Samba] Security descriptors options of Group Policies

Olivier BILHAUT obilhaut at fondation-misericorde.fr
Thu May 16 15:40:45 UTC 2024 

Thanks Rowland for once again, an analysis that looks good. 

To you,
is there a workaround at this stage ? 

For others, let say someone that
had dev this part, any chance to see a change in the next version ? 

I
can't unfortunatly propose a patch neither at the moment. 

Any other
suggestion appreciated. 

--

Olivier

Le 2024-05-16 12:41, Rowland
Penny via samba a écrit :

> On Thu, 16 May 2024 11:26:54 +0200
>
Olivier BILHAUT via samba <samba at lists.samba.org> wrote:
> 
>> Hi Samba
List, hope you're doing well all.
>> 
>> We have realized a security
>>
audit of our Samba4 Active Directory. 
>> 
>> It returns that the
security
>> descriptors options of all our GPO objects are wrong. They
should be :
>> 
>> 
>> SE_DACL_AUTO_INHERITED
>> SE_DACL_PRESENT
>> 
>>
instead of this, the options
>> are by default : 
>> 
>>
SE_DACL_PROTECTED
>> SE_DACL_PRESENT 
>> 
>> We can change the
>>
options, but the "sysvolreset" command of samba-tool revert our
>>
changes at every run. (BTW we use sysvolreset because "sysvolcheck"
>>
returns errors after each GPO creation, without knowing why). 
>> 
>> So
there are
>> multiple questions in one : 
>> 
>> * Why are the security
descriptors
>> options not like the recommanded ones ?
>> * Is there a
way to change how
>> sysvolreset apply security descriptor options ?
>>
* And alternatively,
>> do you know why sysvolcheck returns errors after
each GPO creation
>> ?
>> 
> 
> I think those three questions are all
tied to the same thing, the
> default Samba Policy directory SDDL is set
to this:
> 
>
O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1301bf;;;PA)
>

> Which if you break it down a bit (the relevant part comes before
the
> first '(' ):
> 
> O;LAG:BAD:P
> 
> O = Owner, 'LA' or
LOCAL_ADMIN
> G = Group, 'BA' or BUILTIN_ADMINISTRATORS
> D = DACL, 'P'
or SE_DACL_PROTECTED
> 
> However, quite sometime ago I set up a Windows
2012R2 DC and found that
> the Policy folder had this SDDL:
> 
>
O:BAG:SYD:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GXGR;;;AU)(A;;0x1200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;GA;;;BA)(A;;0x1e01bf;;;BA)(A;OICIIO;GXGR;;;SO)(A;;0x1200a9;;;SO)(A;;0x1201bf;;;PA)(A;OICIIO;GXGWGR;;;PA)
>

> Quite a bit different. Ignoring the ACEs, the start is this:
> 
>
O:BAG:SYD:PAI
> 
> BA, BUILTIN_ADMINISTRATORS
> SY, LOCAL_SYSTEM
> PAI,
SE_DACL_PROTECTED SE_DACL_AUTO_INHERITED
> 
> It was about this time
that I was told my python wasn't good enough, so
> I gave up trying to
patch things
> 
> To put it bluntly, in my opinion, Samba uses the wrong
permissions on
> SYSVOL.
> 
> Rowland

More information about the samba mailing list