Olivier BILHAUT
2024-May-16 09:26 UTC
[Samba] Security descriptors options of Group Policies
Hi Samba List, hope you're doing well all. We have realized a security audit of our Samba4 Active Directory. It returns that the security descriptors options of all our GPO objects are wrong. They should be : SE_DACL_AUTO_INHERITED SE_DACL_PRESENT instead of this, the options are by default : SE_DACL_PROTECTED SE_DACL_PRESENT We can change the options, but the "sysvolreset" command of samba-tool revert our changes at every run. (BTW we use sysvolreset because "sysvolcheck" returns errors after each GPO creation, without knowing why). So there are multiple questions in one : * Why are the security descriptors options not like the recommanded ones ? * Is there a way to change how sysvolreset apply security descriptor options ? * And alternatively, do you know why sysvolcheck returns errors after each GPO creation ? Many thanks to all. -- Olivier
Rowland Penny
2024-May-16 10:41 UTC
[Samba] Security descriptors options of Group Policies
On Thu, 16 May 2024 11:26:54 +0200 Olivier BILHAUT via samba <samba at lists.samba.org> wrote:> Hi Samba List, hope you're doing well all. > > We have realized a security > audit of our Samba4 Active Directory. > > It returns that the security > descriptors options of all our GPO objects are wrong. They should be : > > > SE_DACL_AUTO_INHERITED > SE_DACL_PRESENT > > instead of this, the options > are by default : > > SE_DACL_PROTECTED > SE_DACL_PRESENT > > We can change the > options, but the "sysvolreset" command of samba-tool revert our > changes at every run. (BTW we use sysvolreset because "sysvolcheck" > returns errors after each GPO creation, without knowing why). > > So there are > multiple questions in one : > > * Why are the security descriptors > options not like the recommanded ones ? > * Is there a way to change how > sysvolreset apply security descriptor options ? > * And alternatively, > do you know why sysvolcheck returns errors after each GPO creation > ? >I think those three questions are all tied to the same thing, the default Samba Policy directory SDDL is set to this: O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1301bf;;;PA) Which if you break it down a bit (the relevant part comes before the first '(' ): O;LAG:BAD:P O = Owner, 'LA' or LOCAL_ADMIN G = Group, 'BA' or BUILTIN_ADMINISTRATORS D = DACL, 'P' or SE_DACL_PROTECTED However, quite sometime ago I set up a Windows 2012R2 DC and found that the Policy folder had this SDDL: O:BAG:SYD:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GXGR;;;AU)(A;;0x1200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;GA;;;BA)(A;;0x1e01bf;;;BA)(A;OICIIO;GXGR;;;SO)(A;;0x1200a9;;;SO)(A;;0x1201bf;;;PA)(A;OICIIO;GXGWGR;;;PA) Quite a bit different. Ignoring the ACEs, the start is this: O:BAG:SYD:PAI BA, BUILTIN_ADMINISTRATORS SY, LOCAL_SYSTEM PAI, SE_DACL_PROTECTED SE_DACL_AUTO_INHERITED It was about this time that I was told my python wasn't good enough, so I gave up trying to patch things To put it bluntly, in my opinion, Samba uses the wrong permissions on SYSVOL. Rowland