Hi everyone, there is a SID S-1-5-21-2848215498-2472035911-1947525656-498 in the default schema definition of Sam-Domain and Domain-DNS object which was added 13 years ago in https://gitlab.com/samba-team/samba/-/commit/ad11deb9bd825d699e2b6799b40d98c28c95910e I don't think it is a security bug per se, but does not look good when auditing tools flag the security descriptor as non standard. The security descriptor in the Windows doc does not reference this SID: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adsc/9abb5e97-123d-4da9-9557-b353ab79b830 https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-ADSC/%5bMS-ADSC%5d.pdf Cheers, Denis
(In reply to Denis Cardon from comment #0) Something similar happens during adprep triggered in a pure windows environment... (which doesn't make it any better), but as we don't support SID-Filtering at all yet, this is not a security problem in Samba domains
Hi Metze, thanks for your input! After some more investigation, it looks like the SID should be S-1-5-domain-sid-498, while in Samba it is hardcoded to be S-1-5-21-2848215498-2472035911-1947525656-498 (as per the source4/setup/ad-schema/MS-AD_Schema_2K8_R2_Classes.txt file referenced in the initial bug report). Cheers, Denis