Olivier BILHAUT
2024-May-16 15:40 UTC
[Samba] Security descriptors options of Group Policies
Thanks Rowland for once again, an analysis that looks good. To you, is there a workaround at this stage ? For others, let say someone that had dev this part, any chance to see a change in the next version ? I can't unfortunatly propose a patch neither at the moment. Any other suggestion appreciated. -- Olivier Le 2024-05-16 12:41, Rowland Penny via samba a ?crit :> On Thu, 16 May 2024 11:26:54 +0200 >Olivier BILHAUT via samba <samba at lists.samba.org> wrote:> >> Hi SambaList, hope you're doing well all.>> >> We have realized a security >>audit of our Samba4 Active Directory.>> >> It returns that thesecurity>> descriptors options of all our GPO objects are wrong. Theyshould be :>> >> >> SE_DACL_AUTO_INHERITED >> SE_DACL_PRESENT >> >>instead of this, the options>> are by default : >> >>SE_DACL_PROTECTED>> SE_DACL_PRESENT >> >> We can change the >>options, but the "sysvolreset" command of samba-tool revert our>>changes at every run. (BTW we use sysvolreset because "sysvolcheck">>returns errors after each GPO creation, without knowing why).>> >> Sothere are>> multiple questions in one : >> >> * Why are the securitydescriptors>> options not like the recommanded ones ? >> * Is there away to change how>> sysvolreset apply security descriptor options ? >>* And alternatively,>> do you know why sysvolcheck returns errors aftereach GPO creation>> ? >> > > I think those three questions are alltied to the same thing, the> default Samba Policy directory SDDL is setto this:> >O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1301bf;;;PA)>> Which if you break it down a bit (the relevant part comes beforethe> first '(' ): > > O;LAG:BAD:P > > O = Owner, 'LA' orLOCAL_ADMIN> G = Group, 'BA' or BUILTIN_ADMINISTRATORS > D = DACL, 'P'or SE_DACL_PROTECTED> > However, quite sometime ago I set up a Windows2012R2 DC and found that> the Policy folder had this SDDL: > >O:BAG:SYD:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GXGR;;;AU)(A;;0x1200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;GA;;;BA)(A;;0x1e01bf;;;BA)(A;OICIIO;GXGR;;;SO)(A;;0x1200a9;;;SO)(A;;0x1201bf;;;PA)(A;OICIIO;GXGWGR;;;PA)>> Quite a bit different. Ignoring the ACEs, the start is this: > >O:BAG:SYD:PAI> > BA, BUILTIN_ADMINISTRATORS > SY, LOCAL_SYSTEM > PAI,SE_DACL_PROTECTED SE_DACL_AUTO_INHERITED> > It was about this timethat I was told my python wasn't good enough, so> I gave up trying topatch things> > To put it bluntly, in my opinion, Samba uses the wrongpermissions on> SYSVOL. > > Rowland
Rowland Penny
2024-May-16 16:46 UTC
[Samba] Security descriptors options of Group Policies
On Thu, 16 May 2024 17:40:45 +0200 Olivier BILHAUT <obilhaut at fondation-misericorde.fr> wrote:> Thanks Rowland for once again, an analysis that looks good. > > To you, > is there a workaround at this stage ?Not from myself,it has been years since I looked into this and only really got has far as mapping the sysvol directory SDDLs on a 2012R2 DC. It was at this point that I was basically told my python was crap (it wasn't said in that term, but it came across to me in that way), so I just gave up.> > For others, let say someone that > had dev this part, any chance to see a change in the next version ?That's up to others, but I feel it will need to be a pretty large patch, If I an correct (and I might not be, though I seem to remember Louis Van Belle confirmed my findings), Samba has never used the correct ACLs on SYSVOL. Rowland