The Samba-Bugzilla – Bug 6757
Unable to change rights on GPO objects through Group Policy Management
Last modified: 2009-12-22 05:40:33 UTC
With samba4 git f8425b73.
In the delegation tab on the default domain policy it's impossible to add or remove users/groups because buttons are greyed.
It's also impossible to change current rights by clicking "Advanced..." because I receive the message access denied.
This used to work because in a domain running samba 4 alpha 8 I'm able to open and change security attributes.
It seems that there is some problems in the ACL parsing or analysing because even with the following "simple" acl
I have message like this in the samba4 log
rpc_server/handles.c:102: Attempt to use invalid sid S-104-946160395-2048-188210192-188967552-186481936-183647040-176616752-183648560-186479928-186483656-1337743563-1122048363-1117420715-728709294-186483120-186113504-186479248-186480904-1-0-81-188209088-188486040-0-0-0-0-188347096-24-3893693552-0-188966728-0-775040561-774911032-892547377-825112117-825111598-3420213-0-17-188210224-188485888-16-64-183057752-188347208-0-0-0-0-145532968-9-3893693552-0-3893693555-0-1952541798-1701667150-146519040-65-188347144-188967368-0-0-0-0-145532968-11-3893693552-0-146519216-145570916-1836020326-1987208531-134247013-25-189551496-188966800-0-1-24-80-0-188347880-0-0-0-0-146453993-27-3893693552-0-3893693555-0-1600283756-1969516397-540697964-1819305330-1952804191-1633967969-184574324-81-0-0-188224728-0-0-0-146453993-25-3893693552-0-1836020326-1987208531-1600283756-1969516397-540697964-1953721961-1701015137-1701869940-0-73-188224728-188964552 - S-1-5-21-1659840699-917084258-2121701263-500
rpc_server/handles.c:102: Attempt to use invalid sid (SID ERR) - S-1-5-21-1659840699-917084258-2121701263-500
The test is done with the domain administrator.
Even with this ACL O:DOMAIN_SID-512G:DOMAIN_SID-512D:PAI(A;CI;0x001f01ff;;;DOMAIN_SID-512) which gives full power to domain admins group I have the same error message.
The acl pb seems related to change in IDL. A make clean and a full rebuild fixed thoses errors.
The main problem remain: even if the administrator is the owner of the acl, he is not able to change things even with the full powers.
I CC also Nadezha to those bugs since she is our AD ACL expert.
This should also work now, please close!
No it is still not working completely.
When clicking on "advanced" we are prompted with a dialog box but you can't add a group or remove one or change rights on an existing one !
It seems that we need to implement sDrightEffective (http://msdn.microsoft.com/en-us/library/cc223413%28PROT.13%29.aspx).
After setting this attribute manually through ldbedit to 15, gpmc allow user to change rights on users.
This changeset 56b754e09ad5cd926e1dd0747252b7c359294938 fix the problem completly (also good acl was need but it was already introduced before)