On two Samba 4.4.2/4.4.3 member servers, "samba-tool ntacl get --as-sddl" gives the following error: ERROR: Unable to read domain SID from configuration files Which configuration files is it referring to? Without "--as-sddl" the command gives a correct output. It would be nice to get the permissions in sddl format... The same command works as expected on two AC DCs.
On 18/05/16 00:02, Miguel Medalha wrote:> On two Samba 4.4.2/4.4.3 member servers, "samba-tool ntacl get > --as-sddl" gives the following error: > > ERROR: Unable to read domain SID from configuration files > > Which configuration files is it referring to? > > Without "--as-sddl" the command gives a correct output. > > It would be nice to get the permissions in sddl format... > > The same command works as expected on two AC DCs. > >Hi, this is because when you use '--as-sddl', the python code does this: if as_sddl: try: domain_sid = security.dom_sid(samdb.domain_sid) except: raise CommandError("Unable to read domain SID from configuration files") self.outf.write(acl.as_sddl(domain_sid)+"\n") Or to put it in English, it tries to get the Domain SID from sam.ldb and this doesn't exist on a member server. Rowland
> Hi, this is because when you use '--as-sddl', the python code does this: > > if as_sddl: > try: > domain_sid = security.dom_sid(samdb.domain_sid) > except: > raise CommandError("Unable to read domain SID from > configuration files") > self.outf.write(acl.as_sddl(domain_sid)+"\n") > > Or to put it in English, it tries to get the Domain SID from sam.ldb > and this doesn't exist on a member server. >And yet the member server "knows" what the Domain SID is (as shown by "net getdomainsid"). Isn't a file server exactly the place where setting ACEs using the sddl format would be the most useful? Can this limitation be removed or was it "by design"? It seems to me that with acl_xattr offering complete Windows ACLs the situation is now mature enough and demands a proper tool for setting Windows ACLs from a *nix command line. This would greatly facilitate the life of those who maintain remote servers through ssh. A tool similar to icacls or SetACL in the Windows world.
On Wed, 2016-05-18 at 00:02 +0100, Miguel Medalha wrote:> On two Samba 4.4.2/4.4.3 member servers, "samba-tool ntacl get > --as-sddl" gives the following error: > > ERROR: Unable to read domain SID from configuration files > > Which configuration files is it referring to? > > Without "--as-sddl" the command gives a correct output. > > It would be nice to get the permissions in sddl format... > > The same command works as expected on two AC DCs.A very reasonable request. You might be able to use vfstest (which isn't normally installed, but is built) with the get_nt_acl command as a workaround in the interim. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba