L.P.H. van Belle
2015-Jun-17  07:15 UTC
[Samba] samba tool and sysvol/gpo checks error/bugged? ( but it all works ok)
Hai, 
?
im running samba 4.2.2 sernet on debian. 
?
when i run : 
samba-tool gpo aclcheck -UAdministrator 
?
im getting : 
ERROR: Invalid GPO ACL 
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
and it tells me it should be
O:DAG:DAD:P?
(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
?
the only difference : O:DAG:DAD:PAI?? <> ?O:DAG:DAD:P 
?
the strange thing.? it complains about?
something.else.tld\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}
?
checked the rights. 
getfacl \{EAF212FE-4718-4693-BD18-6B4FC8A0513A\}/
?
# file: {EAF212FE-4718-4693-BD18-6B4FC8A0513A}/
# owner: domain\040admins
# group: domain\040admins
user::rwx
user:3000002:rwx
user:3000003:r-x
user:enterprise\040admins:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:enterprise\040admins:rwx
group:domain\040admins:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:enterprise\040admins:rwx
default:user:domain\040admins:rwx
default:user:3000010:r-x
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:enterprise\040admins:rwx
default:group:domain\040admins:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---
and on an other folder
?getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/
# file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
# owner: domain\040admins
# group: domain\040admins
user::rwx
user:3000002:rwx
user:3000003:r-x
user:enterprise\040admins:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:enterprise\040admins:rwx
group:domain\040admins:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:enterprise\040admins:rwx
default:user:domain\040admins:rwx
default:user:3000010:r-x
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:enterprise\040admins:rwx
default:group:domain\040admins:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---
?
both have same rights, but only 1 is complaining about incorrect setting.. 
?
And this was AFTER? running : 
samba-tool gpo aclcheck
ERROR: Error connecting to 'dc1.something.else.tld' using SMB
samba-tool gpo aclcheck -UAdministrator
Password for [SOMETHING\Administrator]:
ERROR: Invalid GPO ACL
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)
(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) on path
(rotterdam.bazuin.nl\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}),
should be 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
did we hit a bug here? i done see whats wrong, and all is working as it should. 
?
Greetz, 
?
Louis
?
?
Rowland Penny
2015-Jun-17  08:53 UTC
[Samba] samba tool and sysvol/gpo checks error/bugged? ( but it all works ok)
On 17/06/15 08:15, L.P.H. van Belle wrote:> Hai, > > im running samba 4.2.2 sernet on debian. > > when i run : > samba-tool gpo aclcheck -UAdministrator > > im getting : > ERROR: Invalid GPO ACL > O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > and it tells me it should be > O:DAG:DAD:P (A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > > the only difference : O:DAG:DAD:PAI <> O:DAG:DAD:P > > the strange thing. it complains about something.else.tld\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A} > > checked the rights. > getfacl \{EAF212FE-4718-4693-BD18-6B4FC8A0513A\}/ > > # file: {EAF212FE-4718-4693-BD18-6B4FC8A0513A}/ > # owner: domain\040admins > # group: domain\040admins > user::rwx > user:3000002:rwx > user:3000003:r-x > user:enterprise\040admins:rwx > user:3000010:r-x > group::rwx > group:3000002:rwx > group:3000003:r-x > group:enterprise\040admins:rwx > group:domain\040admins:rwx > group:3000010:r-x > mask::rwx > other::--- > default:user::rwx > default:user:3000002:rwx > default:user:3000003:r-x > default:user:enterprise\040admins:rwx > default:user:domain\040admins:rwx > default:user:3000010:r-x > default:group::--- > default:group:3000002:rwx > default:group:3000003:r-x > default:group:enterprise\040admins:rwx > default:group:domain\040admins:rwx > default:group:3000010:r-x > default:mask::rwx > default:other::--- > > and on an other folder > getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/ > # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/ > # owner: domain\040admins > # group: domain\040admins > user::rwx > user:3000002:rwx > user:3000003:r-x > user:enterprise\040admins:rwx > user:3000010:r-x > group::rwx > group:3000002:rwx > group:3000003:r-x > group:enterprise\040admins:rwx > group:domain\040admins:rwx > group:3000010:r-x > mask::rwx > other::--- > default:user::rwx > default:user:3000002:rwx > default:user:3000003:r-x > default:user:enterprise\040admins:rwx > default:user:domain\040admins:rwx > default:user:3000010:r-x > default:group::--- > default:group:3000002:rwx > default:group:3000003:r-x > default:group:enterprise\040admins:rwx > default:group:domain\040admins:rwx > default:group:3000010:r-x > default:mask::rwx > default:other::--- > > > both have same rights, but only 1 is complaining about incorrect setting.. > > And this was AFTER running : > samba-tool gpo aclcheck > ERROR: Error connecting to 'dc1.something.else.tld' using SMB > > samba-tool gpo aclcheck -UAdministrator > Password for [SOMETHING\Administrator]: > ERROR: Invalid GPO ACL O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA) > (A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) on path (rotterdam.bazuin.nl\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}), > should be > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > > did we hit a bug here? i done see whats wrong, and all is working as it should. > > Greetz, > > Louis > >Hi Louis, You have run into something that has been bugging me, the ACE's are correct but the owner or dacl flags or wrong, things that I think do not really matter as far as windows is concerned. Have a look here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa379570%28v=vs.85%29.aspx And here: http://www.netid.washington.edu/documentation/domains/sddl.aspx My understanding is the ACE's are the things that matter, these are what come up in the security tab and who owns the file/dir doesn't really matter. Rowland
L.P.H. van Belle
2015-Jun-17  09:03 UTC
[Samba] samba tool and sysvol/gpo checks error/bugged? ( but it all works ok)
>-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: woensdag 17 juni 2015 10:54 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] samba tool and sysvol/gpo checks >error/bugged? ( but it all works ok) > >On 17/06/15 08:15, L.P.H. van Belle wrote: >> Hai, >> >> im running samba 4.2.2 sernet on debian. >> >> when i run : >> samba-tool gpo aclcheck -UAdministrator >> >> im getting : >> ERROR: Invalid GPO ACL >> >O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A >;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0 >1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >> and it tells me it should be >> O:DAG:DAD:P >(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001 >f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;O >ICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >> >> the only difference : O:DAG:DAD:PAI <> O:DAG:DAD:P >> >> the strange thing. it complains about >something.else.tld\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A} >> >> checked the rights. >> getfacl \{EAF212FE-4718-4693-BD18-6B4FC8A0513A\}/ >> >> # file: {EAF212FE-4718-4693-BD18-6B4FC8A0513A}/ >> # owner: domain\040admins >> # group: domain\040admins >> user::rwx >> user:3000002:rwx >> user:3000003:r-x >> user:enterprise\040admins:rwx >> user:3000010:r-x >> group::rwx >> group:3000002:rwx >> group:3000003:r-x >> group:enterprise\040admins:rwx >> group:domain\040admins:rwx >> group:3000010:r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:user:3000002:rwx >> default:user:3000003:r-x >> default:user:enterprise\040admins:rwx >> default:user:domain\040admins:rwx >> default:user:3000010:r-x >> default:group::--- >> default:group:3000002:rwx >> default:group:3000003:r-x >> default:group:enterprise\040admins:rwx >> default:group:domain\040admins:rwx >> default:group:3000010:r-x >> default:mask::rwx >> default:other::--- >> >> and on an other folder >> getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/ >> # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/ >> # owner: domain\040admins >> # group: domain\040admins >> user::rwx >> user:3000002:rwx >> user:3000003:r-x >> user:enterprise\040admins:rwx >> user:3000010:r-x >> group::rwx >> group:3000002:rwx >> group:3000003:r-x >> group:enterprise\040admins:rwx >> group:domain\040admins:rwx >> group:3000010:r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:user:3000002:rwx >> default:user:3000003:r-x >> default:user:enterprise\040admins:rwx >> default:user:domain\040admins:rwx >> default:user:3000010:r-x >> default:group::--- >> default:group:3000002:rwx >> default:group:3000003:r-x >> default:group:enterprise\040admins:rwx >> default:group:domain\040admins:rwx >> default:group:3000010:r-x >> default:mask::rwx >> default:other::--- >> >> >> both have same rights, but only 1 is complaining about >incorrect setting.. >> >> And this was AFTER running : >> samba-tool gpo aclcheck >> ERROR: Error connecting to 'dc1.something.else.tld' using SMB >> >> samba-tool gpo aclcheck -UAdministrator >> Password for [SOMETHING\Administrator]: >> ERROR: Invalid GPO ACL >O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A >;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA) >> >(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x00120 >0a9;;;ED) on path >(rotterdam.bazuin.nl\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}), >> should be >> >O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;O >ICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01f >f;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >> >> did we hit a bug here? i done see whats wrong, and all is >working as it should. >> >> Greetz, >> >> Louis >> >> > >Hi Louis, >You have run into something that has been bugging me, the ACE's are >correct but the owner or dacl flags or wrong, things that I >think do not >really matter as far as windows is concerned. > >Have a look here: >https://msdn.microsoft.com/en-us/library/windows/desktop/aa3795 >70%28v=vs.85%29.aspx > >And here: >http://www.netid.washington.edu/documentation/domains/sddl.aspx > >My understanding is the ACE's are the things that matter, >these are what >come up in the security tab and who owns the file/dir doesn't >really matter. > >Rowland >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >Ah.. yes, i remember, the thiny about windows to be able to set a "group" as owner/user. wel as long it works correct,.. Thank your for the reply. Greetz, Louis
Rowland Penny
2015-Jun-17  09:15 UTC
[Samba] samba tool and sysvol/gpo checks error/bugged? ( but it all works ok)
On 17/06/15 10:03, L.P.H. van Belle wrote:> > >> -----Oorspronkelijk bericht----- >> Van: rowlandpenny at googlemail.com >> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >> Verzonden: woensdag 17 juni 2015 10:54 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] samba tool and sysvol/gpo checks >> error/bugged? ( but it all works ok) >> >> On 17/06/15 08:15, L.P.H. van Belle wrote: >>> Hai, >>> >>> im running samba 4.2.2 sernet on debian. >>> >>> when i run : >>> samba-tool gpo aclcheck -UAdministrator >>> >>> im getting : >>> ERROR: Invalid GPO ACL >>> >> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A >> ;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f0 >> 1ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >>> and it tells me it should be >>> O:DAG:DAD:P >> (A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001 >> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;O >> ICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >>> >>> the only difference : O:DAG:DAD:PAI <> O:DAG:DAD:P >>> >>> the strange thing. it complains about >> something.else.tld\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A} >>> >>> checked the rights. >>> getfacl \{EAF212FE-4718-4693-BD18-6B4FC8A0513A\}/ >>> >>> # file: {EAF212FE-4718-4693-BD18-6B4FC8A0513A}/ >>> # owner: domain\040admins >>> # group: domain\040admins >>> user::rwx >>> user:3000002:rwx >>> user:3000003:r-x >>> user:enterprise\040admins:rwx >>> user:3000010:r-x >>> group::rwx >>> group:3000002:rwx >>> group:3000003:r-x >>> group:enterprise\040admins:rwx >>> group:domain\040admins:rwx >>> group:3000010:r-x >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:3000002:rwx >>> default:user:3000003:r-x >>> default:user:enterprise\040admins:rwx >>> default:user:domain\040admins:rwx >>> default:user:3000010:r-x >>> default:group::--- >>> default:group:3000002:rwx >>> default:group:3000003:r-x >>> default:group:enterprise\040admins:rwx >>> default:group:domain\040admins:rwx >>> default:group:3000010:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> and on an other folder >>> getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/ >>> # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/ >>> # owner: domain\040admins >>> # group: domain\040admins >>> user::rwx >>> user:3000002:rwx >>> user:3000003:r-x >>> user:enterprise\040admins:rwx >>> user:3000010:r-x >>> group::rwx >>> group:3000002:rwx >>> group:3000003:r-x >>> group:enterprise\040admins:rwx >>> group:domain\040admins:rwx >>> group:3000010:r-x >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:3000002:rwx >>> default:user:3000003:r-x >>> default:user:enterprise\040admins:rwx >>> default:user:domain\040admins:rwx >>> default:user:3000010:r-x >>> default:group::--- >>> default:group:3000002:rwx >>> default:group:3000003:r-x >>> default:group:enterprise\040admins:rwx >>> default:group:domain\040admins:rwx >>> default:group:3000010:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> >>> both have same rights, but only 1 is complaining about >> incorrect setting.. >>> >>> And this was AFTER running : >>> samba-tool gpo aclcheck >>> ERROR: Error connecting to 'dc1.something.else.tld' using SMB >>> >>> samba-tool gpo aclcheck -UAdministrator >>> Password for [SOMETHING\Administrator]: >>> ERROR: Invalid GPO ACL >> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A >> ;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA) >> (A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x00120 >> 0a9;;;ED) on path >> (rotterdam.bazuin.nl\Policies\{EAF212FE-4718-4693-BD18-6B4FC8A0513A}), >>> should be >>> >> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;O >> ICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01f >> f;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >>> did we hit a bug here? i done see whats wrong, and all is >> working as it should. >>> >>> Greetz, >>> >>> Louis >>> >>> >> Hi Louis, >> You have run into something that has been bugging me, the ACE's are >> correct but the owner or dacl flags or wrong, things that I >> think do not >> really matter as far as windows is concerned. >> >> Have a look here: >> https://msdn.microsoft.com/en-us/library/windows/desktop/aa3795 >> 70%28v=vs.85%29.aspx >> >> And here: >> http://www.netid.washington.edu/documentation/domains/sddl.aspx >> >> My understanding is the ACE's are the things that matter, >> these are what >> come up in the security tab and who owns the file/dir doesn't >> really matter. >> >> Rowland >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > Ah.. yes, i remember, the thiny about windows to be able to set a "group" as owner/user. > > wel as long it works correct,.. > > Thank your for the reply. > > Greetz, > > Louis >Well, as you have found, it is and it isn't :-) Perhaps you could try what it says here: https://technet.microsoft.com/en-us/library/cc816833%28v=WS.10%29.aspx There is a link at the bottom of the page to what the default permissions should be. Rowland