14927 – sysvolcheck and sysvolreset don't handle deny ACEs

Bug 14927 - sysvolcheck and sysvolreset don't handle deny ACEs

Summary: sysvolcheck and sysvolreset don't handle deny ACEs

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.15.2
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Duplicates (5):	9542 10606 11309 12236 15518 (view as bug list)
Depends on:
Blocks:

Reported:	2021-12-06 16:00 UTC by Björn Jacke
Modified:	2025-03-19 15:57 UTC (History)
CC List:	12 users (show)

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/2281

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Björn Jacke 2021-12-06 16:00:26 UTC

if an admin applies delegation on GPOs and denies access to cerain trustees, then the next samba-tool ntacl sysvolreset will discard the deny ACEs. Next time MMC opend that GPO it will complain that ther permissions don't match and suggests to fix it, which will also work (till sysvolreset strikes again).

WIP merge request is linked.

Comment 1 Björn Jacke 2021-12-06 16:07:03 UTC

if an admin applies delegation on GPOs and denies access to cerain trustees, then the next samba-tool ntacl sysvolreset will discard the deny ACEs. Next time MMC opend that GPO it will complain that ther permissions don't match and suggests to fix it, which will also work (till sysvolreset strikes again).

WIP merge request is linked.

Comment 2 Björn Jacke 2021-12-07 16:18:59 UTC

*** Bug 12236 has been marked as a duplicate of this bug. ***

Comment 3 Björn Jacke 2021-12-07 17:14:27 UTC

*** Bug 9542 has been marked as a duplicate of this bug. ***

Comment 4 Björn Jacke 2021-12-07 17:19:04 UTC

*** Bug 10606 has been marked as a duplicate of this bug. ***

Comment 5 Björn Jacke 2021-12-07 17:19:39 UTC

*** Bug 11309 has been marked as a duplicate of this bug. ***

Comment 6 Ralph Böhme 2023-11-13 16:32:33 UTC

*** Bug 15518 has been marked as a duplicate of this bug. ***

Comment 7 Samba QA Contact 2025-03-19 15:57:14 UTC

This bug was referenced in samba master:

3e572824dcafc6544320bb1b306063035f1ecc37
29df0b6691d67816b146549b5b18883505a55649
62c8dc9fa1f00dd178468edf23d35f6316fce800
301c36d1ad6d81e4983001c607d501bea7551014
ff0e0045ed5ec619e8ef1910c0b72eb118f59bd3
20129d16dc30a2ab9ad0ae04fec5cf007ebb035d