samba - May 2024 - Security descriptors options of Group Policies

On Thu, 16 May 2024 17:40:45 +0200
Olivier BILHAUT <obilhaut at fondation-misericorde.fr> wrote:
> Thanks Rowland for once again, an analysis that looks good. 
> 
> To you,
> is there a workaround at this stage ? 
Not from myself,it has been years since I looked into this and only
really got has far as mapping the sysvol directory SDDLs on a 2012R2
DC. It was at this point that I was basically told my python was crap
(it wasn't said in that term, but it came across to me in that way), so
I just gave up.
> 
> For others, let say someone that
> had dev this part, any chance to see a change in the next version ? 
That's up to others, but I feel it will need to be a pretty large
patch, If I an correct (and I might not be, though I seem to remember
Louis Van Belle confirmed my findings), Samba has never used the
correct ACLs on SYSVOL.

Rowland

On 16-05-2024 18:46, Rowland Penny via samba wrote:
> On Thu, 16 May 2024 17:40:45 +0200
> Olivier BILHAUT <obilhaut at fondation-misericorde.fr> wrote:
>
>> Thanks Rowland for once again, an analysis that looks good.
>>
>> To you,
>> is there a workaround at this stage ?
> Not from myself,it has been years since I looked into this and only
> really got has far as mapping the sysvol directory SDDLs on a 2012R2
> DC. It was at this point that I was basically told my python was crap
> (it wasn't said in that term, but it came across to me in that way), so
> I just gave up.
>
>> For others, let say someone that
>> had dev this part, any chance to see a change in the next version ?
> That's up to others, but I feel it will need to be a pretty large
> patch, If I an correct (and I might not be, though I seem to remember
> Louis Van Belle confirmed my findings), Samba has never used the
> correct ACLs on SYSVOL.
>
> Rowland
As a workaround you can decide to apply the correct acls, "samba-tool 
ntacl set" can do that. And then never use "samba-tool ntacl 
sysvolreset" again.

- Kees.