Hi Team,
I am trying to get filtering by group on GPOs (with code on Linux, i.e.
samba-tool etc.).
While experimenting something went wrong and I ended up with broken dsalcs.
samba-tool gpo aclcheck
ERROR: Invalid GPO ACL
O:DAG:DAD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;;;;WD)(A;;0x001f01ff;;;DA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG)
on path (example.com\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}),
should be
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
Since my GPOs are created by code, the simple solution for broken stuff
is to remove it (samba-tool gpo del), fix the code and rerun.
However at some point (don't know how it happened) I broke the dsacl of
the "Default Domain Policy". On delete is complains: "ERROR(ldb):
uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM"
Ldbsearch shows "isCriticalSystemObject: TRUE", which is probably the
cause of above error.
The "Default Domain Policy" on the filesystem is empty.
My setup is Samba 4.15.5 (from Louis) on Bullseye.
Is there a way to fix / overwrite dsacls with a correct value, so that I
do not need the delete/create operation?
If not: what would be the way to fix the "Default Domain Policy"?
- Kees