Hi everyone, there is a SID S-1-5-21-2848215498-2472035911-1947525656-498 in the default schema definition of Sam-Domain and Domain-DNS object which was added 13 years ago in https://gitlab.com/samba-team/samba/-/commit/ad11deb9bd825d699e2b6799b40d98c28c95910e I don't think it is a security bug per se, but does not look good when auditing tools flag the security descriptor as non standard. The security descriptor in the Windows doc does not reference this SID: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adsc/9abb5e97-123d-4da9-9557-b353ab79b830 https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-ADSC/%5bMS-ADSC%5d.pdf Cheers, Denis
(In reply to Denis Cardon from comment #0) Something similar happens during adprep triggered in a pure windows environment... (which doesn't make it any better), but as we don't support SID-Filtering at all yet, this is not a security problem in Samba domains
Hi Metze, thanks for your input! After some more investigation, it looks like the SID should be S-1-5-domain-sid-498, while in Samba it is hardcoded to be S-1-5-21-2848215498-2472035911-1947525656-498 (as per the source4/setup/ad-schema/MS-AD_Schema_2K8_R2_Classes.txt file referenced in the initial bug report). Cheers, Denis
I guess we want the string "RO". I see we have all of these: MS-AD_Schema_2K8_R2_Classes.txt: S-1-5-21-2848215498-2472035911-1947525656-498 Classes_for_AD_DS__Windows_Server_2008_R2.ldf: S-1-5-21-3826996545-2955106365-1559736734-498 Classes_for_AD_DS__Windows_Server_2012.ldf: S-1-5-21-3934771932-3278152359-543699747-498 AD_DS_Classes__Windows_Server_2012_R2.ldf: S-1-5-21-1419929373-1327843497-4227689449-498 AD_DS_Classes__Windows_Server_2016.ldf: S-1-5-21-2063560558-3296776465-833389195-498 AD_DS_Classes__Windows_Server_v1803.ldf: S-1-5-21-2159567482-1874458502-4201521111-498 AD_DS_Classes_Windows_Server_v1903.ldf: S-1-5-21-3516728528-1120570704-3572002616-498