search for: oiciio

...te path names > # file: home/samba/users/ > # owner: root > # group: root > user::rwx > group::rwx > other::rwx > root at localhost:~# samba-tool ntacl get /home/samba/users --as-sddl > O:LAG:S-1-22-2-0D:(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;S-1-22-2-0)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD) -------------------------------------------------------------------------------------------------------------------- Sorry for the bad format....I am fighting to get lists.samba.org into a newsreader without success (bloody Austr...

...user:root:rwx default:group::rwx default:group:domain\040users:rwx default:group:unix\040admins:r-x default:mask::rwx default:other::--- pi at raspberrypi:~ $ sudo samba-tool ntacl get /home/test --as-sddl .................. O:S-1-22-1-0G:DUD:PAI(A;;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1-0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;;0x001200a9;;;DU)(A;OICI;0x001200a9;;;S-1-5-21-1768301897-3342589593-1064908849-2122) So, whilst Samba shouldn't cause anything on Windows to crash, if you follow the wiki it doesn't crash (not for me anyway) . Who owns your share that you are...

...I go to the machine that holds the share and run 'samba-tool ntacl > get /srv/acl3 --as-sddl', I get this: > > O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;FA;;;S-1-22-1-0)(A;OICI;0x1200a9;;;DU)(A;OICI;0x1200a9;;;DU)(A;;FA;;;S-1-22-2-0)(A;;FA;;;S-1-22-2-0)(A;;FA;;;S-1-22-1-0)(A;;FA;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;S-1-22-2-0)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD) > > 'WD' is Windows speak for 'EVERYONE'. looks like a bug or misconfiguration. -slow -- SerNet Samba Team Lead https://samba.plus/ Samba Team Member https://samba.o...

...indows, but if I go to the machine that holds the share and run 'samba-tool ntacl get /srv/acl3 --as-sddl', I get this: O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;FA;;;S-1-22-1-0)(A;OICI;0x1200a9;;;DU)(A;OICI;0x1200a9;;;DU)(A;;FA;;;S-1-22-2-0)(A;;FA;;;S-1-22-2-0)(A;;FA;;;S-1-22-1-0)(A;;FA;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;S-1-22-2-0)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD) 'WD' is Windows speak for 'EVERYONE'. Rowland

..."[dfs]" ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/ kl01.amtb-m.org.my/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU...

...is simply not there at the share's top level. It is there for the subdirectories. getfattr -n security.NTACL -d /the/top/directory says /the/top/directory: security.NTACL: No such attribute samba-tool ntacl returns O:S-1-22-1-0G:DUD:(A;;0x001f01ff;;;S-1-22-1-0)(A;;0x001200a9;;;DU)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD) which is probably what I see in the Windows security tab. But what is this derived from? Peter

...t; # owner: root >>> # group: root >>> user::rwx >>> group::rwx >>> other::rwx >>> root at localhost:~# samba-tool ntacl get /home/samba/users --as-sddl >>> O:LAG:S-1-22-2-0D:(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;S-1-22-2-0)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD) >>> >> -------------------------------------------------------------------------------------------------------------------- >> >> Sorry for the bad format....I am fighting to get lists.samba.org into...

...hine that holds the share and run 'samba-tool > > ntacl get /srv/acl3 --as-sddl', I get this: > > > > O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;FA;;;S-1-22-1-0)(A;OICI;0x1200a9;;;DU)(A;OICI;0x1200a9;;;DU)(A;;FA;;;S-1-22-2-0)(A;;FA;;;S-1-22-2-0)(A;;FA;;;S-1-22-1-0)(A;;FA;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;S-1-22-2-0)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD) > > > > 'WD' is Windows speak for 'EVERYONE'. > > looks like a bug or misconfiguration. > > -slow > smb.conf has these: [global] .......... vfs objects = acl...

...em:rwx default:group:unix_admins:rwx default:mask::rwx default:other::--- >An extended attribute stored in Security.NTACL e.g. Here is my output command: samba-tool ntacl get /var/lib/samba/sysvol --as-sddl O:LAG:S-1-22-2-0D:(A;;0x001f01ff;;;LA)(A;;0x001200a9;;;S-1-22-2-0)(A;;0x001200a9;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;; ;WD) >See here: >https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings >and here: > https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings?redirectedfrom=MSDN Sorry, I accessed the links, read...

...RIAAAAAABQA/wMfAAEBAAAAAAAFEgAAAAALGAAAAAzgAQIAAAAAAAUgAAAAIAIAAAAAGAC/AR4AAQIAAAAAAAUgAAAAIAIAAAALGAAAAACgAQIAAAAAAAUgAAAAJQIAAAAAGACpABIAAQIAAAAAAAUgAAAAJQIAAA== Big problem though, it is incomprehensible, so try this instead: samba-tool ntacl get /var/lib/samba/sysvol --as-sddl O:BAG:SYD:PAI(A;OICIIO;WOWDGRGWGX;;;CO)(A;OICIIO;GRGX;;;AU)(A;;0x001200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;0x001f03ff;;;SY)(A;OICIIO;WOWDGRGWGX;;;BA)(A;;0x001e01bf;;;BA)(A;OICIIO;GRGX;;;SO)(A;;0x001200a9;;;SO) Now, provided you have the key, you can easily decipher it, for instance, (A;OICIIO;WOWDGRGWGX;;;CO) is: (ACCESS_AL...

...s, you could create a 'root preexec' script. > >An extended attribute stored in Security.NTACL e.g. > Here is my output command: > samba-tool ntacl get /var/lib/samba/sysvol --as-sddl > O:LAG:S-1-22-2-0D:(A;;0x001f01ff;;;LA)(A;;0x001200a9;;;S-1-22-2-0)(A;;0x001200a9;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;; > ;WD) > > > Sorry, I accessed the links, read the content and found it very > complicated. I confess that I understood practically nothing. Yes it is a bit daunting, so lets take your example and pull it apart ;-) Th...

Hi Samba List, hope you're doing well all. We have realized a security audit of our Samba4 Active Directory. It returns that the security descriptors options of all our GPO objects are wrong. They should be : SE_DACL_AUTO_INHERITED SE_DACL_PRESENT instead of this, the options are by default : SE_DACL_PROTECTED SE_DACL_PRESENT We can change the options, but the "sysvolreset"

...-1) O:S-1-22-1-0G:S-1-5-21-33300784-995546578-3414580312-1121D:AI(A;OICI;FA;;;S-1-22-1-0)(A;;FA;;;S-1-5-21-33300784-995546578-3414580312-1121)(A;;FA;;;DA)(A;;FA;;;S-1-5-21-33300784-995546578-3414580312-1121)(A;;FA;;;S-1-5-21-33300784-995546578-3414580312-1121)(A;;FA;;;S-1-22-1-0)(A;;FA;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;DA)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD) The share mounts and I am a member of the correct groups CARLSON\peter at u2gui:~$ cat /etc/fstab //fs.carlson.lab/test /mnt/test cifs credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0 //f...

...ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /vol/samba/shares/sysvol/internal.stmaryscollege.co.uk/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;...

Hi Rowland >Hi Marcio, we would need more info, where are you migrating the home folders from ? and where to ? I copied Windows Server 2008 folders and permissions with ROBOCOPY to my Samba 4 server. >I know you mentioned a Win 2008 server, are the home folders stored on that ? The personal folders were stored on it (Windows), but now they are on my new Samba 4 file server. >Another

Hai, ? im running samba 4.2.2 sernet on debian. ? when i run : samba-tool gpo aclcheck -UAdministrator ? im getting : ERROR: Invalid GPO ACL O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) and it tells me it should be O:DAG:DAD:P? (A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;...

...UTHORITY\SYSTEM Allow  FullControl          BUILTIN\Administrators Allow  268435456          BUILTIN\Administrators Allow  Write, ReadAndExecute, ChangePermissions, TakeOwnership, Synchronize          BUILTIN\Server Operators Allow  ReadAndExecute, Synchronize Audit  : Sddl   : O:BAG:SYD:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GXGR;;;AU)(A;;0x1200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;G          A;;;BA)(A;;0x1e01bf;;;BA)(A;OICIIO;GXGR;;;SO)(A;;0x1200a9;;;SO)   The one with numbers like CREATOR OWNER Allow  268435456 Are users/groups with special rights.     2) and just now created GPO,...

...oot >>>>> user::rwx >>>>> group::rwx >>>>> other::rwx >>>>> root at localhost:~# samba-tool ntacl get /home/samba/users --as-sddl >>>>> O:LAG:S-1-22-2-0D:(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;S-1-22-2-0)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD) >>>>> >>>> -------------------------------------------------------------------------------------------------------------------- >>>> >>>> Sorry for the bad format....I am fighti...

...A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-21-546846319-217595157-9522986-572)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;SA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-21-546846319-217595157-9522986-572)(A;OICI;;;;WD)(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;LA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG) I tried adding the sgid bit and restarting samba but there was no change in the results.

...p:domain\040users:rwx > default:group:unix\040admins:r-x > default:mask::rwx > default:other::--- > > pi at raspberrypi:~ $ sudo samba-tool ntacl get /home/test --as-sddl > > .................. > > O:S-1-22-1-0G:DUD:PAI(A;;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1-0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;;0x001200a9;;;DU)(A;OICI;0x001200a9;;;S-1-5-21-1768301897-3342589593-1064908849-2122) > > So, whilst Samba shouldn't cause anything on Windows to crash, if you > follow the wiki it doesn't crash (not for me anyway) . Who owns your &gt...