Bug 6757 - Unable to change rights on GPO objects through Group Policy Management
Summary: Unable to change rights on GPO objects through Group Policy Management
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks: 6600 6756
  Show dependency treegraph
 
Reported: 2009-09-24 08:26 UTC by Matthieu Patou
Modified: 2009-12-22 05:40 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2009-09-24 08:26:08 UTC 
With samba4 git f8425b73.

In the delegation tab on the default domain policy it's impossible to add or remove users/groups because buttons are greyed.
It's also impossible to change current rights by clicking "Advanced..." because I receive the message access denied.

This used to work because in a domain running samba 4 alpha 8 I'm able to open and change security attributes.
Comment 1 Matthieu Patou 2009-09-24 08:30:08 UTC 
It seems that there is some problems in the ACL parsing or analysing because even with the following "simple" acl 

I have message like this in the samba4 log

rpc_server/handles.c:102: Attempt to use invalid sid S-104-946160395-2048-188210192-188967552-186481936-183647040-176616752-183648560-186479928-186483656-1337743563-1122048363-1117420715-728709294-186483120-186113504-186479248-186480904-1-0-81-188209088-188486040-0-0-0-0-188347096-24-3893693552-0-188966728-0-775040561-774911032-892547377-825112117-825111598-3420213-0-17-188210224-188485888-16-64-183057752-188347208-0-0-0-0-145532968-9-3893693552-0-3893693555-0-1952541798-1701667150-146519040-65-188347144-188967368-0-0-0-0-145532968-11-3893693552-0-146519216-145570916-1836020326-1987208531-134247013-25-189551496-188966800-0-1-24-80-0-188347880-0-0-0-0-146453993-27-3893693552-0-3893693555-0-1600283756-1969516397-540697964-1819305330-1952804191-1633967969-184574324-81-0-0-188224728-0-0-0-146453993-25-3893693552-0-1836020326-1987208531-1600283756-1969516397-540697964-1953721961-1701015137-1701869940-0-73-188224728-188964552 - S-1-5-21-1659840699-917084258-2121701263-500

or 
rpc_server/handles.c:102: Attempt to use invalid sid (SID ERR) - S-1-5-21-1659840699-917084258-2121701263-500

The test is done with the domain administrator. 
Even with this ACL O:DOMAIN_SID-512G:DOMAIN_SID-512D:PAI(A;CI;0x001f01ff;;;DOMAIN_SID-512) which gives full power to domain admins group I have the same error message.
Comment 2 Matthieu Patou 2009-09-25 02:31:12 UTC 
The acl pb seems related to change in IDL. A make clean and a full rebuild fixed thoses errors.

The main problem remain: even if the administrator is the owner of the acl, he is not able to change things even with the full powers.
Comment 3 Matthias Dieter Wallnöfer 2009-09-25 05:51:00 UTC 
I CC also Nadezha to those bugs since she is our AD ACL expert.
Comment 4 Matthias Dieter Wallnöfer 2009-09-28 10:57:01 UTC 
This should also work now, please close!
Comment 5 Matthieu Patou 2009-10-04 16:04:08 UTC 
No it is still not working completely.
When clicking on "advanced" we are prompted with a dialog box but you can't add a group or remove one or change rights on an existing one !
Comment 6 Matthieu Patou 2009-10-11 10:41:57 UTC 
It seems that we need to implement sDrightEffective (http://msdn.microsoft.com/en-us/library/cc223413%28PROT.13%29.aspx).
After setting this attribute manually through ldbedit to 15, gpmc allow user to change rights on users.
Comment 7 Matthieu Patou 2009-12-22 05:40:33 UTC 
This changeset 56b754e09ad5cd926e1dd0747252b7c359294938 fix the problem completly (also good acl was need but it was already introduced before)