> > However the acls via getfacl for the two GPO's are identical.Your sure?> I don't know if that will be problematic down the road or not.No, thats fine. But run on the 2 folders : samba-tool ntacl get --as-sddl FOLDERHERE Compair the 2 outputs. There must be a difference. Well, at least it works now for you.. Greetz, Louis
On Wed, Oct 28, 2020 at 12:08 PM L.P.H. van Belle <belle at bazuin.nl> wrote:> > However the acls via getfacl for the two GPO's are identical. > Your sure?Absolutely, just checked again. I placed the output into 2 separate files, removed that 1st file: line (that would be different) and ran a diff. No difference.> But run on the 2 folders : > samba-tool ntacl get --as-sddl FOLDERHERE > > Compair the 2 outputs. > There must be a difference.Yes they are different, must be taking the unix permissions into account which getfacl doesn't. Chris
For completeness:
The existing GPO:
# samba-tool ntacl get --as-sddl \{07AF723D-5FFD-4807-B3C6-DFCE911B922A\}/
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
The newly created GPO:
# samba-tool ntacl get --as-sddl \{0C0B713E-EE65-4ACE-88AE-25125E2AAE00\}/
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
Chris