Samba AD: GPO with empty or null DACL

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Samba AD: GPO with empty or null DACL

Samba - samba-technical mailing list
Dear all,

I would appreciate your support for managing the DACL of group policy
objects on a Samba AD DC.

For testing purposes I need to modify the DACL of an existing GPO to be:

1. Empty DACL

2. NULL DACL

Up to now I have not been able to find a way to accomplish this task.
Microsoft RSAT tools allow to empty the DACL, but the empty DACL is not
stored in the directory.

Command line tools on the Samba DC (ldapmodify, ldbedit) accept an empty
DACL, but do not store it in the directory, either. Instead the current
DACL is kept unchanged.

Is there a feasible way to get these special DACLs stored in the directory?


Reply | Threaded
Open this post in threaded view
|

Re: Samba AD: GPO with empty or null DACL

Samba - samba-technical mailing list
I suspect you may need to look at the sd_flags control.


Cheers,

Garming


On 04/01/18 06:25, Thomas A. Reim via samba-technical wrote:

> Dear all,
>
> I would appreciate your support for managing the DACL of group policy
> objects on a Samba AD DC.
>
> For testing purposes I need to modify the DACL of an existing GPO to be:
>
> 1. Empty DACL
>
> 2. NULL DACL
>
> Up to now I have not been able to find a way to accomplish this task.
> Microsoft RSAT tools allow to empty the DACL, but the empty DACL is
> not stored in the directory.
>
> Command line tools on the Samba DC (ldapmodify, ldbedit) accept an
> empty DACL, but do not store it in the directory, either. Instead the
> current DACL is kept unchanged.
>
> Is there a feasible way to get these special DACLs stored in the
> directory?
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Samba AD: GPO with empty or null DACL

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, 2018-01-03 at 18:25 +0100, Thomas A. Reim via samba-technical
wrote:

> Dear all,
>
> I would appreciate your support for managing the DACL of group policy
> objects on a Samba AD DC.
>
> For testing purposes I need to modify the DACL of an existing GPO to be:
>
> 1. Empty DACL
>
> 2. NULL DACL
>
> Up to now I have not been able to find a way to accomplish this task.
> Microsoft RSAT tools allow to empty the DACL, but the empty DACL is not
> stored in the directory.
>
> Command line tools on the Samba DC (ldapmodify, ldbedit) accept an empty
> DACL, but do not store it in the directory, either. Instead the current
> DACL is kept unchanged.
>
> Is there a feasible way to get these special DACLs stored in the directory?

I'm not entirely sure what you want to do, but I will note that Samba
refuses to consider a totally missing ntSecurityDescriptor to be an
'allow all', and just refuses all operations instead.

        sd_element = ldb_msg_find_element(acl_res, "nTSecurityDescriptor");
        if (sd_element == NULL) {
                return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS,
                                 "nTSecurityDescriptor is missing");
        }

        if (sd_element->num_values != 1) {
                return ldb_operr(ldb);
        }

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba