Dear all,
I would appreciate your support for managing the DACL of group policy objects on a Samba AD DC. For testing purposes I need to modify the DACL of an existing GPO to be: 1. Empty DACL 2. NULL DACL Up to now I have not been able to find a way to accomplish this task. Microsoft RSAT tools allow to empty the DACL, but the empty DACL is not stored in the directory. Command line tools on the Samba DC (ldapmodify, ldbedit) accept an empty DACL, but do not store it in the directory, either. Instead the current DACL is kept unchanged. Is there a feasible way to get these special DACLs stored in the directory? |
I suspect you may need to look at the sd_flags control.
Cheers, Garming On 04/01/18 06:25, Thomas A. Reim via samba-technical wrote: > Dear all, > > I would appreciate your support for managing the DACL of group policy > objects on a Samba AD DC. > > For testing purposes I need to modify the DACL of an existing GPO to be: > > 1. Empty DACL > > 2. NULL DACL > > Up to now I have not been able to find a way to accomplish this task. > Microsoft RSAT tools allow to empty the DACL, but the empty DACL is > not stored in the directory. > > Command line tools on the Samba DC (ldapmodify, ldbedit) accept an > empty DACL, but do not store it in the directory, either. Instead the > current DACL is kept unchanged. > > Is there a feasible way to get these special DACLs stored in the > directory? > > |
In reply to this post by Samba - samba-technical mailing list
On Wed, 2018-01-03 at 18:25 +0100, Thomas A. Reim via samba-technical
wrote: > Dear all, > > I would appreciate your support for managing the DACL of group policy > objects on a Samba AD DC. > > For testing purposes I need to modify the DACL of an existing GPO to be: > > 1. Empty DACL > > 2. NULL DACL > > Up to now I have not been able to find a way to accomplish this task. > Microsoft RSAT tools allow to empty the DACL, but the empty DACL is not > stored in the directory. > > Command line tools on the Samba DC (ldapmodify, ldbedit) accept an empty > DACL, but do not store it in the directory, either. Instead the current > DACL is kept unchanged. > > Is there a feasible way to get these special DACLs stored in the directory? I'm not entirely sure what you want to do, but I will note that Samba refuses to consider a totally missing ntSecurityDescriptor to be an 'allow all', and just refuses all operations instead. sd_element = ldb_msg_find_element(acl_res, "nTSecurityDescriptor"); if (sd_element == NULL) { return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS, "nTSecurityDescriptor is missing"); } if (sd_element->num_values != 1) { return ldb_operr(ldb); } Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba |
Free forum by Nabble | Edit this page |