Rowland Penny
2025-Apr-14 14:38 UTC
[Samba] Access denied on GPO after "ntacl sysvolreset"
On Mon, 14 Apr 2025 16:05:53 +0200 Klaas TJEBBES via samba <samba at lists.samba.org> wrote:> This example I gave is from a test server. A simple setup with 1 DC, > 1 fileserver and 2 Windows clients. > > Setting access rights with setfacl was just to try to understand what > the problems was. I should have presented the problem otherwise, like > this : > > I create a GPO in RSAT. At that point, rights on GPO are OK, I can > modify it no problems. > I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly. > I run 'samba-tool ntacl sysvolreset'. At that point, problem occurs, > GPO can no longer be modified. > I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly again. > > The diffs between ACLs and ATTRs before/after are : > > ############ ACLs ################## > > # BEFORE samba-tool ntacl sysvolreset > > # file: > home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI > # owner: BUILTIN/administrators > # group: users > user::rwx > user:NT\040Authority/system:rwx > user:NT\040Authority/authenticated\040users:r-x > user:DOM/domain\040admins:rwx > user:DOM/enterprise\040admins:rwx > user:NT\040Authority/enterprise\040domain\040controllers:r-x > group::--- > group:users:--- > group:BUILTIN/administrators:rwx > group:NT\040Authority/system:rwx > group:NT\040Authority/authenticated\040users:r-x > group:DOM/domain\040admins:rwx > group:DOM/enterprise\040admins:rwx > group:NT\040Authority/enterprise\040domain\040controllers:r-x > mask::rwx > other::--- > > # file: > home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/ > # owner: BUILTIN/administrators > # group: users > user::rwx > user:NT\040Authority/system:rwx > user:NT\040Authority/authenticated\040users:r-x > user:DOM/domain\040admins:rwx > user:DOM/enterprise\040admins:rwx > user:NT\040Authority/enterprise\040domain\040controllers:r-x > group::--- > group:users:--- > group:BUILTIN/administrators:rwx > group:NT\040Authority/system:rwx > group:NT\040Authority/authenticated\040users:r-x > group:DOM/domain\040admins:rwx > group:DOM/enterprise\040admins:rwx > group:NT\040Authority/enterprise\040domain\040controllers:r-x > mask::rwx > other::--- > default:user::rwx > default:user:BUILTIN/administrators:rwx > default:user:NT\040Authority/system:rwx > default:user:NT\040Authority/authenticated\040users:r-x > default:user:DOM/domain\040admins:rwx > default:user:DOM/enterprise\040admins:rwx > default:user:NT\040Authority/enterprise\040domain\040controllers:r-x > default:group::--- > default:group:users:--- > default:group:NT\040Authority/system:rwx > default:group:NT\040Authority/authenticated\040users:r-x > default:group:DOM/domain\040admins:rwx > default:group:DOM/enterprise\040admins:rwx > default:group:NT\040Authority/enterprise\040domain\040controllers:r-x > default:mask::rwx > default:other::--- > > > # AFTER samba-tool ntacl sysvolreset > > # file: > home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI > # owner: DOM/domain\040admins > # group: DOM/domain\040admins > user::rwx > user:root:rwx > user:BUILTIN/administrators:rwx > user:BUILTIN/server\040operators:r-x > user:NT\040Authority/system:rwx > user:NT\040Authority/authenticated\040users:r-x > group::rwx > group:BUILTIN/administrators:rwx > group:BUILTIN/server\040operators:r-x > group:NT\040Authority/system:rwx > group:NT\040Authority/authenticated\040users:r-x > mask::rwx > other::--- > > # file: > home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/ > # owner: DOM/domain\040admins > # group: DOM/domain\040admins > user::rwx > user:root:rwx > user:BUILTIN/administrators:rwx > user:BUILTIN/server\040operators:r-x > user:NT\040Authority/system:rwx > user:NT\040Authority/authenticated\040users:r-x > group::rwx > group:BUILTIN/administrators:rwx > group:BUILTIN/server\040operators:r-x > group:NT\040Authority/system:rwx > group:NT\040Authority/authenticated\040users:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN/administrators:rwx > default:user:BUILTIN/server\040operators:r-x > default:user:NT\040Authority/system:rwx > default:user:NT\040Authority/authenticated\040users:r-x > default:group::--- > default:group:BUILTIN/administrators:rwx > default:group:BUILTIN/server\040operators:r-x > default:group:NT\040Authority/system:rwx > default:group:NT\040Authority/authenticated\040users:r-x > default:mask::rwx > default:other::--- > > ######### ATTRs ######## > > # BEFORE samba-tool ntacl sysvolreset > > # file: > home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI > user.DOSATTRIB=0sAAAFAAUAAAARAAAAIAAAABGDjqdErdsB > user.SAMBA_PAI=0sAgSADwAAAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAA=> > # file: > home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/ > user.DOSATTRIB=0sAAAFAAUAAAARAAAAEAAAAHJtj6dErdsB > user.SAMBA_PAI=0sAgSADwAPAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAAABZAAAAAAAwMYtAAAC/////wABZAAAAAMAxMYtAAMBxMYtAAMAx8YtAAMBx8YtAAsAwMYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAAMA3MYtAAMB3MYtAA=> > > # AFTER samba-tool ntacl sysvolreset > > # file: > home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI > user.SAMBA_PAI=0sAhSQDAAAAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA=> > # file: > home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/ > user.SAMBA_PAI=0sAhSQDAAMAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAAAwMYtAAABwMYtAAAAwcYtAAABwcYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAAAAAAAAAC/////wABwMYtAAAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA=> > > > What do you think about this ?Sorry, but I am not going to wade through that. Sysvol contains files and directories to be used by Windows GPOs and as such your output is meaningless to me. I do not really understand the output from 'SAMBA_PAI', whereas the output from 'samba-tool ntacl get <FILE> --as-sddl' is easily understood. From what I posted earlier: O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED) That shows the permissions in a form that Windows expects, the start 'O:DAG:DA' shows that the owner is 'DA' and the group is 'DA', (DA being Domain Admins) and everything inside each '(....)' is called an ACE and you can easily work out what each ACE allows and to whom. I repeat, I cannot recommend setting the permissions on sysvol in the way you are doing it, use sysvolreset and samba-tool to read them. Rowland
Klaas TJEBBES
2025-Apr-15 08:03 UTC
[Samba] Access denied on GPO after "ntacl sysvolreset"
Hi Rowland (and others)
Here is what you were asking for.
As a sidenote, 'samba-tool ntacl get' is a bit buggy on some pathes.
I've left the tracebacks so you can understand what I'm talking about.
But nevertheless, there are some differences between before and after
'samba-tool ntacl sysvolreset'. This command does not set back the
access rights like Windows does.
# BEFORE samba-tool ntacl sysvolreset, just after creating a GPO in RSAT
root at addc:~# samba-tool ntacl get
/home/sysvol/domscribe.ac-test.fr/Policies/\{A343FF29-C355-44E2-80B9-1CD67B6134E3\}/
--as-sddl
ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2]
No
such file or directory:
'/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}/'
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
279, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
206, in run
acl = getntacl(lp,
^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125, in
getntacl
return smbd.get_nt_acl(file,
^^^^^^^^^^^^^^^^^^^^^
root at addc:~# cd
/home/sysvol/domscribe.ac-test.fr/Policies/\{A343FF29-C355-44E2-80B9-1CD67B6134E3\}/
root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
ls -l
total 24
-rwxrwx---+ 1 BUILTIN/administrators users 68 avril 15 09:52 GPT.INI
drwxrwx---+ 2 BUILTIN/administrators users 4096 avril 15 09:53 Machine
drwxrwx---+ 2 BUILTIN/administrators users 4096 avril 15 09:52 User
root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get . --as-sddl
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)
root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get GPT.INI --as-sddl
O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(A;;0x1200a9;;;ED)
root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get Machine/ --as-sddl
ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2]
No
such file or directory: 'Machine/'
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
279, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
206, in run
acl = getntacl(lp,
^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125, in
getntacl
return smbd.get_nt_acl(file,
^^^^^^^^^^^^^^^^^^^^^
# AFTER samba-tool ntacl sysvolreset
root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get . --as-sddl
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get GPT.INI --as-sddl
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get Machine/ --as-sddl
ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2]
No
such file or directory: 'Machine/'
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
279, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
206, in run
acl = getntacl(lp,
^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125, in
getntacl
return smbd.get_nt_acl(file,
^^^^^^^^^^^^^^^^^^^^^
Le 14/04/2025 ? 16:38, Rowland Penny via samba a ?crit?:> On Mon, 14 Apr 2025 16:05:53 +0200
> Klaas TJEBBES via samba <samba at lists.samba.org> wrote:
>
>> This example I gave is from a test server. A simple setup with 1 DC,
>> 1 fileserver and 2 Windows clients.
>>
>> Setting access rights with setfacl was just to try to understand what
>> the problems was. I should have presented the problem otherwise, like
>> this :
>>
>> I create a GPO in RSAT. At that point, rights on GPO are OK, I can
>> modify it no problems.
>> I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly.
>> I run 'samba-tool ntacl sysvolreset'. At that point, problem
occurs,
>> GPO can no longer be modified.
>> I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly again.
>>
>> The diffs between ACLs and ATTRs before/after are :
>>
>> ############ ACLs ##################
>>
>> # BEFORE samba-tool ntacl sysvolreset
>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
>> # owner: BUILTIN/administrators
>> # group: users
>> user::rwx
>> user:NT\040Authority/system:rwx
>> user:NT\040Authority/authenticated\040users:r-x
>> user:DOM/domain\040admins:rwx
>> user:DOM/enterprise\040admins:rwx
>> user:NT\040Authority/enterprise\040domain\040controllers:r-x
>> group::---
>> group:users:---
>> group:BUILTIN/administrators:rwx
>> group:NT\040Authority/system:rwx
>> group:NT\040Authority/authenticated\040users:r-x
>> group:DOM/domain\040admins:rwx
>> group:DOM/enterprise\040admins:rwx
>> group:NT\040Authority/enterprise\040domain\040controllers:r-x
>> mask::rwx
>> other::---
>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
>> # owner: BUILTIN/administrators
>> # group: users
>> user::rwx
>> user:NT\040Authority/system:rwx
>> user:NT\040Authority/authenticated\040users:r-x
>> user:DOM/domain\040admins:rwx
>> user:DOM/enterprise\040admins:rwx
>> user:NT\040Authority/enterprise\040domain\040controllers:r-x
>> group::---
>> group:users:---
>> group:BUILTIN/administrators:rwx
>> group:NT\040Authority/system:rwx
>> group:NT\040Authority/authenticated\040users:r-x
>> group:DOM/domain\040admins:rwx
>> group:DOM/enterprise\040admins:rwx
>> group:NT\040Authority/enterprise\040domain\040controllers:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:BUILTIN/administrators:rwx
>> default:user:NT\040Authority/system:rwx
>> default:user:NT\040Authority/authenticated\040users:r-x
>> default:user:DOM/domain\040admins:rwx
>> default:user:DOM/enterprise\040admins:rwx
>> default:user:NT\040Authority/enterprise\040domain\040controllers:r-x
>> default:group::---
>> default:group:users:---
>> default:group:NT\040Authority/system:rwx
>> default:group:NT\040Authority/authenticated\040users:r-x
>> default:group:DOM/domain\040admins:rwx
>> default:group:DOM/enterprise\040admins:rwx
>> default:group:NT\040Authority/enterprise\040domain\040controllers:r-x
>> default:mask::rwx
>> default:other::---
>>
>>
>> # AFTER samba-tool ntacl sysvolreset
>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
>> # owner: DOM/domain\040admins
>> # group: DOM/domain\040admins
>> user::rwx
>> user:root:rwx
>> user:BUILTIN/administrators:rwx
>> user:BUILTIN/server\040operators:r-x
>> user:NT\040Authority/system:rwx
>> user:NT\040Authority/authenticated\040users:r-x
>> group::rwx
>> group:BUILTIN/administrators:rwx
>> group:BUILTIN/server\040operators:r-x
>> group:NT\040Authority/system:rwx
>> group:NT\040Authority/authenticated\040users:r-x
>> mask::rwx
>> other::---
>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
>> # owner: DOM/domain\040admins
>> # group: DOM/domain\040admins
>> user::rwx
>> user:root:rwx
>> user:BUILTIN/administrators:rwx
>> user:BUILTIN/server\040operators:r-x
>> user:NT\040Authority/system:rwx
>> user:NT\040Authority/authenticated\040users:r-x
>> group::rwx
>> group:BUILTIN/administrators:rwx
>> group:BUILTIN/server\040operators:r-x
>> group:NT\040Authority/system:rwx
>> group:NT\040Authority/authenticated\040users:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:BUILTIN/administrators:rwx
>> default:user:BUILTIN/server\040operators:r-x
>> default:user:NT\040Authority/system:rwx
>> default:user:NT\040Authority/authenticated\040users:r-x
>> default:group::---
>> default:group:BUILTIN/administrators:rwx
>> default:group:BUILTIN/server\040operators:r-x
>> default:group:NT\040Authority/system:rwx
>> default:group:NT\040Authority/authenticated\040users:r-x
>> default:mask::rwx
>> default:other::---
>>
>> ######### ATTRs ########
>>
>> # BEFORE samba-tool ntacl sysvolreset
>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
>> user.DOSATTRIB=0sAAAFAAUAAAARAAAAIAAAABGDjqdErdsB
>>
user.SAMBA_PAI=0sAgSADwAAAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAA=>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
>> user.DOSATTRIB=0sAAAFAAUAAAARAAAAEAAAAHJtj6dErdsB
>>
user.SAMBA_PAI=0sAgSADwAPAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAAABZAAAAAAAwMYtAAAC/////wABZAAAAAMAxMYtAAMBxMYtAAMAx8YtAAMBx8YtAAsAwMYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAAMA3MYtAAMB3MYtAA=>>
>>
>> # AFTER samba-tool ntacl sysvolreset
>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
>>
user.SAMBA_PAI=0sAhSQDAAAAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA=>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
>>
user.SAMBA_PAI=0sAhSQDAAMAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAAAwMYtAAABwMYtAAAAwcYtAAABwcYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAAAAAAAAAC/////wABwMYtAAAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA=>>
>>
>>
>> What do you think about this ?
>
> Sorry, but I am not going to wade through that.
> Sysvol contains files and directories to be used by Windows GPOs and as
> such your output is meaningless to me. I do not really understand the
> output from 'SAMBA_PAI', whereas the output from 'samba-tool
ntacl get
> <FILE> --as-sddl' is easily understood.
>
>>From what I posted earlier:
>
>
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
>
> That shows the permissions in a form that Windows expects, the start
> 'O:DAG:DA' shows that the owner is 'DA' and the group is
'DA', (DA
> being Domain Admins) and everything inside each '(....)' is called
an
> ACE and you can easily work out what each ACE allows and to whom.
>
> I repeat, I cannot recommend setting the permissions on sysvol in the
> way you are doing it, use sysvolreset and samba-tool to read them.
>
> Rowland
>
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Klaas TJEBBES
- P?le Logiciel Libre (EOLE)
- DSI
- Dijon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~