thr3ads.net - samba - [Samba] editing GPO as user X, when user X is used in gpo security filter [May 2019]

If this information is useful, please help other people find it:
Share via:

Kacper Wirski

2019-May-14 19:53 UTC

[Samba] editing GPO as user X, when user X is used in gpo security filter

Hello,

I'm using samba 4.9.x compiled from source on centos 7.6

Today I ran into an unknown behaviour before, which I'm not sure if it's
a bug, a feature or.. just "is".

I realised, that I'm unable to edit particular GPOs, with "access 
denied"  error, when this criteria are met:

- I have user "john" that is a member of "domain admins"

- to any new or existing GPO I explicitly add user "john"  to
"security
filter"

- I'm editing GPO from workstation to which I'm logged in as user
"john"

You can substitute "john" for any other username, i.e. it's not
tied to
particular account, as long as criteria as above are met.

Things like "wbinfo -i" and getfacl run on any of the GPO return 
expected values, all GPO are owned by "domain admins" (both user and
group).

What happens is:

I can open GPO to edit, I can try to change something, but whenver I try 
to accept changes, there is "access denied" error. To make it clear: 
policy is processed by domain clients as it should, and settings are 
applied, error is ONLY when editing with the criteria as above. So 
"john" will get settings applied, even though he can't edit.

As soon, as I remove "john" from security filter OR log in as another 
domain admin, I can edit GPO without error. I'm 100% certain it's not 
user "john" fault, as I can as easily reproduce with another user, as 
long as:

- user that is logged in is member of "domain admins" and is editing
GPO
with himself added to GPO security filter


It's not a big issue, and easy to circumvent that's why I'm not even
sure if it's a bug, or maybe a feature. I bumped into this by accident, 
as I wanted to test something using my domain admin account and not 
different test account and using trial and error pinpointed what caused 
gpo edit error.


I tested this using windows 10 and windows 2012 r2 clients with latest 
updates.

I asked around people using pure microsoft windows 2016 AD DC and they 
couldn't reproduce this behaviour.

What I'd like to know if it's something that is expected, or is there an
error in my domain?

Regards,

Kacper



---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie
antywirusowe Avast.
https://www.avast.com/antivirus

Apparently Analagous Threads

Search for more maybe matching threads

samba - May 2019 - editing GPO as user X, when user X is used in gpo security filter

[Samba] editing GPO as user X, when user X is used in gpo security filter

Apparently Analagous Threads

Wisdom of the Ancients