search for: sddl

On two Samba 4.4.2/4.4.3 member servers, "samba-tool ntacl get --as-sddl" gives the following error: ERROR: Unable to read domain SID from configuration files Which configuration files is it referring to? Without "--as-sddl" the command gives a correct output. It would be nice to get the permissions in sddl format... The same command works as expecte...

> Hi, this is because when you use '--as-sddl', the python code does this: > > if as_sddl: > try: > domain_sid = security.dom_sid(samdb.domain_sid) > except: > raise CommandError("Unable to read domain SID from > configuration files") >...

...File "/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py", > line 1786, in check_dir_acl > raise ProvisioningError('%s ACL on GPO directory %s %s does not > match expected value %s from GPO object' % > (acl_type(direct_db_access), path, fsacl_sddl, acl)) its a bit like 'wack a mole', just keep running sysvolreset :-D Rowland

Hi, i was not able to find anything about my issue in the bug-tracker, the mailinglist or the release notes. We see the following issue using samba-tool dsacl: samba-tool dsacl set --objectdn "cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de" --sddl='(A;CI;GA;;;DD)' new descriptor for cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de: O:DAG:DAD:AI(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) Unknown flag - S:AI(A;CI;GA;;...

...w create a new policy. Are the rights ok, yes. Then fix/verify the share and security rights on sysvol again. No,.. Uhh... Thats not what im expecting.. ;-) After you have corrected the share and security rights. DONT use sysvolreset anymore. These are my outputs. samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/ O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01f f;;;SY)(A;OICI;0x001200a9;;;AU) samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/$(hostname -d)/ O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01f f;;;SY)(A;OICI;0x001...

> > However the acls via getfacl for the two GPO's are identical. Your sure? > I don't know if that will be problematic down the road or not. No, thats fine. But run on the 2 folders : samba-tool ntacl get --as-sddl FOLDERHERE Compair the 2 outputs. There must be a difference. Well, at least it works now for you.. Greetz, Louis

For completeness: The existing GPO: # samba-tool ntacl get --as-sddl \{07AF723D-5FFD-4807-B3C6-DFCE911B922A\}/ O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) The newly created GPO: # samba-tool ntacl get --as-sddl \{0C0B713E-EE65-4A...

...samba-tool dsacl set --objectdn "cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de" --sddl='(A;CI;GA;;;DD)'...

...acls is set to yes, the following additional settings will be enforced: ??? create mask = 0666 ??? directory mask = 0777 RTFM, indeed... Sorry for the noise... > You can read these on Linux with: > sudo samba-tool ntacl get /srv/samba/profiles --as-sddl I've not understood why you as me this, but, anyway: root at vdmacpn1:~# samba-tool ntacl get /srv/samba/profiles --as-sddl O:S-1-5-21-2656668478-4232595426-3015587126-1106G:S-1-5-21-2656668478-4232595426-3015587126-1104D:P(A;;0x001f01ff;;;S-1-5-21-2656668478-4232595426-3015587126-1106)(A;;...

Hi, I try to find a solution for migrating files from a samba server with share access configure at share level in the smb.conf to a new fileserver with Windows ACL configured shares. I did a rsync from the old share to the new server and tried to set the ACL on windows with the "Computer Manager“. But I get an error when applying the rights that the enumerating of objects in the container

Mandi! Rowland Penny via samba In chel di` si favelave... > S-1-5-21-160080369-3601385002-3131615632-1314 Bingo! Exactly the 'Restricted' group that own the users i use for generico LDAP access! I really think that we have found the trouble! Now... how can i fix it? ;-) And... why that vaule get not propagated?! Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66

...t at localhost:~# getfacl /home/samba/users/ > getfacl: Removing leading '/' from absolute path names > # file: home/samba/users/ > # owner: root > # group: root > user::rwx > group::rwx > other::rwx > root at localhost:~# samba-tool ntacl get /home/samba/users --as-sddl > O:LAG:S-1-22-2-0D:(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;S-1-22-2-0)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)(A;OICIIO;0x001200a9;;;WD) -------------------------------------------------------------------------------------------------------------------- Sorry for t...

...the cause, but it isn't being helped by Anderson using the wrong tool to check the permissions, he should be using samba-tool because this is a DC and the permissions are stored in an EA. I suggest he posts the output of: sudo samba-tool ntacl get /usr/local/samba/var/lib/samba/sysvol --as-sddl Rowland

I get this error when I run samba-tool ntacl sysvolcheck ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) There are two GPO directories. One is the Default Domain Controllers Policy and one is the Default Domain Policy It looks like it's the Default Domain Policy that's giving me the problem -- the directory name matches the dn and sysvolcheck doesn't mention the other Policy d...

...t > > do you happen to know what the + is at the end of the permissions?? I > can't find that in the docs. It shows that posix acls are set (the ones shown by getfacl), if you want to see the ACL's set from Windows, in a readable way, try: samba-tool ntacl get /data/test --as-sddl Rowland

...OU samba-tool user add? ${TestUser} ${TestUserPWD} --userou OU=${TestOU} # add TestUser to TestGroup samba-tool group addmembers ${TestGroup} ${TestUser} # set OWNER RIGHTS only for OU Test1_with_Owner-Rights samba-tool dsacl set --objectdn "OU=Test1_with_Owner-Rights,${Test_OU_DN}" --sddl="(A;CI;RPLCRC;;;S-1-3-4)" # get groupid and sid from TestGroup # groupid=$(samba-tool group show ${TestGroup} --attributes=objectGUID | grep objectGUID | cut -d " " -f2 -) sid=$(samba-tool group show ${TestGroup} --attributes=objectSid | grep objectSid | cut -d " "...

...268435456          NT AUTHORITY\SYSTEM Allow  FullControl          BUILTIN\Administrators Allow  268435456          BUILTIN\Administrators Allow  Write, ReadAndExecute, ChangePermissions, TakeOwnership, Synchronize          BUILTIN\Server Operators Allow  ReadAndExecute, Synchronize Audit  : Sddl   : O:BAG:SYD:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GXGR;;;AU)(A;;0x1200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;G          A;;;BA)(A;;0x1e01bf;;;BA)(A;OICIIO;GXGR;;;SO)(A;;0x1200a9;;;SO)   The one with numbers like CREATOR OWNER Allow  268435456 Are users/groups with special rights.     2)...

...! Thanks. Well, because you have added this line: acl_xattr:ignore system acls = yes It does exactly what it says, Samba ignores the Unix attrs, the 'ugo' ones (rwx), so what have you set from Windows ? You can read these on Linux with: sudo samba-tool ntacl get /srv/samba/profiles --as-sddl Rowland

...group:domain\040users:r-x group:unix\040admins:r-x mask::rwx other::r-x default:user::rwx default:user:root:rwx default:group::rwx default:group:domain\040users:rwx default:group:unix\040admins:r-x default:mask::rwx default:other::--- pi at raspberrypi:~ $ sudo samba-tool ntacl get /home/test --as-sddl .................. O:S-1-22-1-0G:DUD:PAI(A;;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-22-1-0)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;;0x001200a9;;;DU)(A;OICI;0x001200a9;;;S-1-5-21-1768301897-3342589593-1064908849-2122) So, whilst Samba shouldn't cause anything on Windows to crash,...

...de. >> >> Thanks, Peter >> > Have you tried: getfattr -n security.NTACL -d /the/top/directory > > You have to explicitly ask for it. > > Unfortunately, you will not understand the output, so try this as well: > > samba-tool ntacl get /the top/directory --as-sddl > > Rowland > > > Thanks for your reply. The getfattr -d -e hex -m - (note the minus sign after the -m) does retrieve all existing attributes, including security.NTACL. It is simply not there at the share's top level. It is there for the subdirectories. getfattr -n security...