Web lists-archives.com

Re: [Samba] "missing security tab" and related ACL issues




Am 07.09.18 um 16:20 schrieb Rowland Penny via samba:
On Fri, 7 Sep 2018 15:36:15 +0200
"Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx> wrote:

Am 07.09.18 um 15:25 schrieb Rowland Penny via samba:

  From what you have posted it doesn't, but when you do get then
working, you need to understand that EA's and ACL's can work
together or independently.
If 'acl_xattr:ignore system acls = yes' is set, they work
independently, if it isn't, they work together, see 'man
vfs_acl_xattr' for more info.

Ok, I will try to remember, so far I have other non-samba issues, see
below.

?? no "domänen-admins" in here

We need to find if the group has actually disappeared.

Run this on a DC:

ldbsearch -H ldap://dc3 '(samaccountname=Domain Admins)'
-UAdministrator

Replace 'dc3' with the DC's name.

It should display the Domain Admins object

The DC there is a windows server ...

I think: no ->

# ldbsearch -H ldap://dc1 '(samaccountname=Domain Admins)'
-UAdministrator

[..]

# returned 3 records
# 0 entries
# 3 referrals


I wonder if someone (for whatever reason) has renamed Domain Admins ?

Create a script 'get_admins.sh'

Containing this:

#!/bin/bash

DC=$1
PASS=$2
DOM=$3

DOMSID=$(ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC"; \
          "(&(objectclass=domain)(name=$DOM))" objectSid | grep objectSid | \
          awk '{print $NF}')

ldbsearch -U Administrator --password="$PASS" -H ldap://"$DC"; \
"(objectSid=${DOMSID}-512)"

exit 0

Run it like this:

bash ./get_admins.sh DC PASSWORD WORKGROUP

Replace:
DC with your DC's hostname

PASSWORD with your Administrator password

WORKGROUP with your lowercase workgroup name

If the SID-512 exists, it will display the object for that objectSid.

yep, thanks.

I get


# record 1
dn: CN=Domänen-Admins,CN=Users,DC=mydomain,DC=intra
objectClass: top
objectClass: group
cn:: RG9tw6RuZW4tQWRtaW5z
description:: QWRtaW5pc3RyYXRvcmVuIGRlciBEb23DpG5l
member: CN=MI,CN=Users,DC=mydomain,DC=intra
member: CN=Administrator,CN=Users,DC=mydomain,DC=intra
distinguishedName:: Q049RG9tw6RuZW4tQWRtaW5zLENOPVVzZXJzLERDPW5vcmFzLERDPWludH
 Jh
instanceType: 4
whenCreated: 20130218123437.0Z
whenChanged: 20180507150906.0Z
uSNCreated: 12345
memberOf: CN=Abgelehnte RODC-Kennwortreplikationsgruppe,CN=Users,DC=mydomain,DC=i
 ntra
memberOf: CN=Administratoren,CN=Builtin,DC=mydomain,DC=intra
uSNChanged: 55909177
name:: RG9tw6RuZW4tQWRtaW5z
objectGUID: 7e533ce7-d6e6-47c4-baf2-0730b2e6f580
objectSid: S-1-5-21-2034248556-467506829-2175355384-512
adminCount: 1
sAMAccountName:: RG9tw6RuZW4tQWRtaW5z
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=intra
isCriticalSystemObject: TRUE
dSCorePropagationData: 20171116130219.0Z
dSCorePropagationData: 20130516110155.0Z
dSCorePropagationData: 20130516103841.0Z
dSCorePropagationData: 20130218133156.0Z
dSCorePropagationData: 16010101000000.0Z

But

# net rpc rights grant "Domänen-Admins" SeDiskOperatorPrivilege -U "mydomain\administrator"

fails

also for "mydomain\Domänen-Admins"

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba