[Samba] ACL problem after sysvolreset (possible bug ?)
denis bonnenfant@sambaedu.org
denis.bonnenfant at sambaedu.org
Thu Feb 27 18:30:21 UTC 2025
Le 27/02/2025 à 19:00, denis bonnenfant--- via samba a écrit :
>
> Le 27/02/2025 à 10:12, denis bonnenfant--- via samba a écrit :
>>
>> Le 27/02/2025 à 09:58, Rowland Penny via samba a écrit :
>>> On Thu, 27 Feb 2025 09:49:47 +0100
>>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>>>
>>>> Le 26/02/2025 à 22:44, Rowland Penny via samba a écrit :
>>>>> On Wed, 26 Feb 2025 22:18:44 +0100
>>>>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>>>>>
>>>>>> Le 26/02/2025 à 20:38, Rowland Penny via samba a écrit :
>>>>>>> On Wed, 26 Feb 2025 18:57:13 +0100
>>>>>>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> Summary :
>>>>>>>>
>>>>>>>> New gpo are created from windows with explicit rwx user and
>>>>>>>> group acls for "Domain admins", which are inherited for every
>>>>>>>> objects created, while sysvolreset is changing this to user:group
>>>>>>>> ownership, which is not inheritable, and removes the acls for
>>>>>>>> "Domain Admins". descriptor for
>>>> CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org:
>>>>
>>>> O:DAG:DAD:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>>>>
>>> Before I dive into this, can you supply the smb.conf from the DC and
>>> the Unix permissions from /var/lib/samba/sysvol and
>
> Just for information :
>
> changing file "/usr/lib/python3/dist-packages/samba/ntacls.py",
> lines 308-309 to
>
>
> if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and
> str(ace.trustee) != security.SID_BUILTIN_PREW2K:
>
> removes problematic ace (the one with uuid), and after that gpo are
> working perfectly. after sysvolreset. It's juste a hack, with probably
> corner effects, but itl isout of my skills to test it....
>
>
this uuid is defined as |ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY in gpo.h,
but it doesn't seems to be defined in python scripts. Maybe adding some
logic to filter out specifically this ACE will be better, but i don't
see how... |
More information about the samba
mailing list