[Samba] ACL problem after sysvolreset (possible bug ?)
denis bonnenfant@sambaedu.org
denis.bonnenfant at sambaedu.org
Thu Feb 27 18:00:29 UTC 2025
Le 27/02/2025 à 10:12, denis bonnenfant--- via samba a écrit :
>
> Le 27/02/2025 à 09:58, Rowland Penny via samba a écrit :
>> On Thu, 27 Feb 2025 09:49:47 +0100
>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>>
>>> Le 26/02/2025 à 22:44, Rowland Penny via samba a écrit :
>>>> On Wed, 26 Feb 2025 22:18:44 +0100
>>>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> Le 26/02/2025 à 20:38, Rowland Penny via samba a écrit :
>>>>>> On Wed, 26 Feb 2025 18:57:13 +0100
>>>>>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> Summary :
>>>>>>>
>>>>>>> New gpo are created from windows with explicit rwx user and
>>>>>>> group acls for "Domain admins", which are inherited for every
>>>>>>> objects created, while sysvolreset is changing this to user:group
>>>>>>> ownership, which is not inheritable, and removes the acls for
>>>>>>> "Domain Admins". descriptor for
>>> CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org:
>>>
>>> O:DAG:DAD:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>>>
>> Before I dive into this, can you supply the smb.conf from the DC and
>> the Unix permissions from /var/lib/samba/sysvol and
Just for information :
changing file "/usr/lib/python3/dist-packages/samba/ntacls.py", lines
308-309 to
if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and
str(ace.trustee) != security.SID_BUILTIN_PREW2K:
removes problematic ace (the one with uuid), and after that gpo are
working perfectly. after sysvolreset. It's juste a hack, with probably
corner effects, but itl isout of my skills to test it....
More information about the samba
mailing list