I had issues with "samba-tool dsacl" some time ago, Rowland helped to
find a work-around:
# Return current DS-ACL
ldbsearch? -H /var/lib/samba/private/sam.ldb -s base -b
'OU=AMS,OU=Org,DC=ad2,DC=xxx,DC=eu' 'nTSecurityDescriptor'
# Set new DS-ACL
cat << EOF > tempfile
dn: OU=AMS,OU=Org,DC=ad2,DC=xxx,DC=eu
changetype: modify
replace: nTSecurityDescriptor
nTSecurityDescriptor: {{ put_expected_dsacl_here }}
EOF
ldbmodify -H /var/lib/samba/private/sam.ldb tempfile
Hopefully this trick works for you as well
- Kees
Op 26-05-2022 om 23:35 schreef samba-ml-en via samba:> Hello all,
>
> I have tried "samba-tools dsacl get/set" operations to modify
permissions on OUs and groups, frankly I could find a proper way to implement
what I wanted correctly. I searched around for examples on using this tool, but
I must admit I could not find much.
>
> So here it is:
>
> smbd -V
>
> Version 4.15.5-Ubuntu
>
> samba-tool -V
>
> 4.15.5-Ubuntu
>
> -
>
> Simple ACL edit (like a copy/paste)
>
> So here is our starting point a standard ACL on an OU.
>
> I get the sddl for this (output is shown with a newline between ACEs for
clarity):
>
> samba-tool dsacl get
--objectdn="OU=AMS,OU=Org,DC=ad2,DC=xxx,DC=eu"
>
> (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
>
> (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
>
> (A;;RPLCLORC;;;AU)
>
> (A;;RPLCLORC;;;ED)
>
> (OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)
>
> (OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)
>
> (OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)
>
> (OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)
>
> (OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)
>
>
(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
>
>
(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
>
>
(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
>
>
(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
>
>
(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
>
>
(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
>
>
(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
>
>
(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
>
>
(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
>
>
(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
>
>
(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)
>
>
(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)
>
>
(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)
>
> (OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
>
> (OA;CIIOID;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)
>
> (OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
>
> (OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)
>
> (A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)
>
> (A;CIID;LC;;;RU)
>
> (A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)
>
>
S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>
>
(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>
> We remove all ACEs that contain the flag ID (inherited from parent
object/OU) (note leaving them does not change anything to the result)
>
> Giving us a new sddl that we send back to our AD:
>
> samba-tool dsacl set
--objectdn="OU=AMS,OU=Org,DC=ad2,DC=xxx,DC=eu"
--sddl="(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPLCLORC;;;AU)(A;;RPLCLORC;;;ED)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)"
>
> Now we look again at the result:
>
> We can conclude that samba-tool is not rewriting exactly what it read (the
SYSTEM entry is now at the bottom of the list).
>
> -
>
> Example with modified ACL.
>
> In this example we add manually 2 ACEs into our ACL (this is for delegating
rights to a group)
>
> Two ACEs are added right above inherited ones (Adm1AOA)
>
> Again we read the sddl with samba-tool, reset the ACL in windows and write
it back.
>
> (A;;RPLCLORC;;;ED)
>
> (A;;RPLCLORC;;;AU)
>
> (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
>
> (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
>
> (OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)
>
> (OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)
>
> (OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)
>
> (OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)
>
> (OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)
>
>
(OA;CIIO;RPWP;deaea1df-2135-41c0-bb7d-4397e6434676;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-1702593726-1423805133-3429439403-1105)
>
>
(OA;CIIO;RPCR;318e36f2-a510-4502-b41c-be3984b39c71;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-1702593726-1423805133-3429439403-1105)
>
> samba-tool dsacl set
--objectdn="OU=AMS,OU=Org,DC=ad2,DC=xxx,DC=eu"
--sddl="(A;;RPLCLORC;;;ED)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;CIIO;RPWP;deaea1df-2135-41c0-bb7d-4397e6434676;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-1702593726-1423805133-3429439403-1105)(OA;CIIO;RPCR;318e36f2-a510-4502-b41c-be3984b39c71;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-1702593726-1423805133-3429439403-1105)"
>
> And we get the following result:
>
> Again we see the ACEs order is odd my added groups at the top and the
SYSTEM at the bottom. Now really I think the tool has a very odd way of
thinking.
>
> -
>
> Let's make it more like a production example.
>
> In this example we protect the OU against deletion (object tab) this one
adds one deny ACE at the top of the ACL with deny everyone delete and delete
subtree, same procedure, we add our two tests ACEs, read the sddl, and rewrite
it
>
> samba-tool dsacl set
--objectdn="OU=AMS,OU=Org,DC=ad2,DC=xxx,DC=eu"
--sddl="(D;;SDDT;;;WD)(A;;RPLCLORC;;;ED)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;CIIO;RPWP;deaea1df-2135-41c0-bb7d-4397e6434676;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-1702593726-1423805133-3429439403-1105)(OA;CIIO;RPCR;318e36f2-a510-4502-b41c-be3984b39c71;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-1702593726-1423805133-3429439403-1105)"
>
> Here hell breaks loose when we try to inspect the result we get:
>
> now we cancel and look at what samba-tool wrote
>
> Indeed we can call this a corrupted ACL.
>
> Conclusion, either I am not using the tool correctly, in which case
obviously someones will point me to the right direction, or the samba-tool has a
big problem with writing DACLs.
>
> Thanks for you inputs,
>
> Eric