[Samba] ACL problem after sysvolreset (possible bug ?)
Rowland Penny
rpenny at samba.org
Thu Feb 27 18:49:00 UTC 2025
On Thu, 27 Feb 2025 19:00:29 +0100
denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
> Just for information :
>
> changing file "/usr/lib/python3/dist-packages/samba/ntacls.py",
> lines 308-309 to
>
>
> if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and
> str(ace.trustee) != security.SID_BUILTIN_PREW2K:
>
> removes problematic ace (the one with uuid), and after that gpo are
> working perfectly. after sysvolreset. It's juste a hack, with
> probably corner effects, but itl isout of my skills to test it....
>
>
The GPOs are stored in sysvol and in AD (they are in
'CN=Policies,CN=System,DC=samdom,DC=example,DC=com') and the
'nTSecurityDescriptor' attribute from each policy is used by sysvolreset
to set the permissions on each policy in sysvol, it seems that this is
where the problem comes from.
If you compare the output of the following command with the SDDL of the
GPO in sysvol, they should be very similar:
sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb
'(distinguishedName=CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=example,DC=com)'
nTSecurityDescriptor
Where '{6AC1786C-016F-11D2-945F-00C04FB984F9}' is the GPO.
Rowland
More information about the samba
mailing list