samba - May 2024 - Security descriptors options of Group Policies

On Thu, 16 May 2024 11:26:54 +0200
Olivier BILHAUT via samba <samba at lists.samba.org> wrote:
> Hi Samba List, hope you're doing well all.
> 
> We have realized a security
> audit of our Samba4 Active Directory. 
> 
> It returns that the security
> descriptors options of all our GPO objects are wrong. They should be :
> 
> 
> SE_DACL_AUTO_INHERITED
> SE_DACL_PRESENT
> 
> instead of this, the options
> are by default : 
> 
> SE_DACL_PROTECTED
> SE_DACL_PRESENT 
> 
> We can change the
> options, but the "sysvolreset" command of samba-tool revert our
> changes at every run. (BTW we use sysvolreset because
"sysvolcheck"
> returns errors after each GPO creation, without knowing why). 
> 
> So there are
> multiple questions in one : 
> 
>  	* Why are the security descriptors
> options not like the recommanded ones ?
>  	* Is there a way to change how
> sysvolreset apply security descriptor options ?
>  	* And alternatively,
> do you know why sysvolcheck returns errors after each GPO creation
> ?
> 
I think those three questions are all tied to the same thing, the
default Samba Policy directory SDDL is set to this:

O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1301bf;;;PA)

Which if you break it down a bit (the relevant part comes before the
first '(' ):

O;LAG:BAD:P

O = Owner, 'LA' or LOCAL_ADMIN
G = Group, 'BA' or BUILTIN_ADMINISTRATORS
D = DACL, 'P' or SE_DACL_PROTECTED

However, quite sometime ago I set up a Windows 2012R2 DC and found that
the Policy folder had this SDDL:

O:BAG:SYD:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GXGR;;;AU)(A;;0x1200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;GA;;;BA)(A;;0x1e01bf;;;BA)(A;OICIIO;GXGR;;;SO)(A;;0x1200a9;;;SO)(A;;0x1201bf;;;PA)(A;OICIIO;GXGWGR;;;PA)

Quite a bit different. Ignoring the ACEs, the start is this:

O:BAG:SYD:PAI

BA, BUILTIN_ADMINISTRATORS
SY, LOCAL_SYSTEM
PAI, SE_DACL_PROTECTED SE_DACL_AUTO_INHERITED

It was about this time that I was told my python wasn't good enough, so
I gave up trying to patch things

To put it bluntly, in my opinion, Samba uses the wrong permissions on
SYSVOL.

Rowland

Thanks Rowland for once again, an analysis that looks good. 

To you,
is there a workaround at this stage ? 

For others, let say someone that
had dev this part, any chance to see a change in the next version ? 

I
can't unfortunatly propose a patch neither at the moment. 

Any other
suggestion appreciated. 

--

Olivier

Le 2024-05-16 12:41, Rowland
Penny via samba a ?crit :
> On Thu, 16 May 2024 11:26:54 +0200
>
Olivier BILHAUT via samba <samba at lists.samba.org>
wrote:
> 
>> Hi Samba
List, hope you're doing well all.
>> 
>> We have realized a security
>>
audit of our Samba4 Active Directory. 
>> 
>> It returns that the
security
>> descriptors options of all our GPO objects are wrong. They
should be :
>> 
>> 
>> SE_DACL_AUTO_INHERITED
>> SE_DACL_PRESENT
>> 
>>
instead of this, the options
>> are by default : 
>> 
>>
SE_DACL_PROTECTED
>> SE_DACL_PRESENT 
>> 
>> We can change the
>>
options, but the "sysvolreset" command of samba-tool revert
our
>>
changes at every run. (BTW we use sysvolreset because
"sysvolcheck"
>>
returns errors after each GPO creation, without knowing why).
>> 
>> So
there are
>> multiple questions in one : 
>> 
>> * Why are the security
descriptors
>> options not like the recommanded ones ?
>> * Is there a
way to change how
>> sysvolreset apply security descriptor options ?
>>
* And alternatively,
>> do you know why sysvolcheck returns errors after
each GPO creation
>> ?
>> 
> 
> I think those three questions are all
tied to the same thing, the
> default Samba Policy directory SDDL is set
to this:
> 
>
O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1301bf;;;PA)
>
> Which if you break it down a bit (the relevant part comes before
the
> first '(' ):
> 
> O;LAG:BAD:P
> 
> O = Owner, 'LA' or
LOCAL_ADMIN
> G = Group, 'BA' or BUILTIN_ADMINISTRATORS
> D = DACL, 'P'
or SE_DACL_PROTECTED
> 
> However, quite sometime ago I set up a Windows
2012R2 DC and found that
> the Policy folder had this SDDL:
> 
>
O:BAG:SYD:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GXGR;;;AU)(A;;0x1200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;GA;;;BA)(A;;0x1e01bf;;;BA)(A;OICIIO;GXGR;;;SO)(A;;0x1200a9;;;SO)(A;;0x1201bf;;;PA)(A;OICIIO;GXGWGR;;;PA)
>
> Quite a bit different. Ignoring the ACEs, the start is this:
> 
>
O:BAG:SYD:PAI
> 
> BA, BUILTIN_ADMINISTRATORS
> SY, LOCAL_SYSTEM
> PAI,
SE_DACL_PROTECTED SE_DACL_AUTO_INHERITED
> 
> It was about this time
that I was told my python wasn't good enough, so
> I gave up trying to
patch things
> 
> To put it bluntly, in my opinion, Samba uses the wrong
permissions on
> SYSVOL.
> 
> Rowland