Bug 14927 - sysvolcheck and sysvolreset don't handle deny ACEs
Summary: sysvolcheck and sysvolreset don't handle deny ACEs
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
: 9542 10606 11309 12236 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-12-06 16:00 UTC by Björn Jacke
Modified: 2023-05-08 02:04 UTC (History)
6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2021-12-06 16:00:26 UTC 
if an admin applies delegation on GPOs and denies access to cerain trustees, then the next samba-tool ntacl sysvolreset will discard the deny ACEs. Next time MMC opend that GPO it will complain that ther permissions don't match and suggests to fix it, which will also work (till sysvolreset strikes again).

WIP merge request is linked.
Comment 1 Björn Jacke 2021-12-06 16:07:03 UTC 
if an admin applies delegation on GPOs and denies access to cerain trustees, then the next samba-tool ntacl sysvolreset will discard the deny ACEs. Next time MMC opend that GPO it will complain that ther permissions don't match and suggests to fix it, which will also work (till sysvolreset strikes again).

WIP merge request is linked.
Comment 2 Björn Jacke 2021-12-07 16:18:59 UTC 
*** Bug 12236 has been marked as a duplicate of this bug. ***
Comment 3 Björn Jacke 2021-12-07 17:14:27 UTC 
*** Bug 9542 has been marked as a duplicate of this bug. ***
Comment 4 Björn Jacke 2021-12-07 17:19:04 UTC 
*** Bug 10606 has been marked as a duplicate of this bug. ***
Comment 5 Björn Jacke 2021-12-07 17:19:39 UTC 
*** Bug 11309 has been marked as a duplicate of this bug. ***