Web lists-archives.com

[Samba] editing GPO as user X, when user X is used in gpo security filter




Hello,

I'm using samba 4.9.x compiled from source on centos 7.6

Today I ran into an unknown behaviour before, which I'm not sure if it's a bug, a feature or.. just "is".

I realised, that I'm unable to edit particular GPOs, with "access denied"  error, when this criteria are met:

- I have user "john" that is a member of "domain admins"

- to any new or existing GPO I explicitly add user "john"  to "security filter"

- I'm editing GPO from workstation to which I'm logged in as user "john"

You can substitute "john" for any other username, i.e. it's not tied to particular account, as long as criteria as above are met.

Things like "wbinfo -i" and getfacl run on any of the GPO return expected values, all GPO are owned by "domain admins" (both user and group).

What happens is:

I can open GPO to edit, I can try to change something, but whenver I try to accept changes, there is "access denied" error. To make it clear: policy is processed by domain clients as it should, and settings are applied, error is ONLY when editing with the criteria as above. So "john" will get settings applied, even though he can't edit.

As soon, as I remove "john" from security filter OR log in as another domain admin, I can edit GPO without error. I'm 100% certain it's not user "john" fault, as I can as easily reproduce with another user, as long as:

- user that is logged in is member of "domain admins" and is editing GPO with himself added to GPO security filter


It's not a big issue, and easy to circumvent that's why I'm not even sure if it's a bug, or maybe a feature. I bumped into this by accident, as I wanted to test something using my domain admin account and not different test account and using trial and error pinpointed what caused gpo edit error.


I tested this using windows 10 and windows 2012 r2 clients with latest updates.

I asked around people using pure microsoft windows 2016 AD DC and they couldn't reproduce this behaviour.

What I'd like to know if it's something that is expected, or is there an error in my domain?

Regards,

Kacper



---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba