The Samba-Bugzilla – Bug 7403
ACL module: Permission denied when creating a site as non-default administrator
Last modified: 2011-01-18 14:45:52 UTC
At the opposite it's the case in Windows 2008r2.
After tracing a xp client talking to a w2k8r2 server, it appear that the client is creating the site object + the server container and the NTDS Site setting.
Something in the s4 answers didn't invite an xp client to do the same.
It turns out that with a user of the "Domain admins" group you can create a site but the NTDS and Server container are forbidden (Access control denied).
Nadia, could you look at this: when some member of the "Domain Admins" group but not the default admin tries to create a site, only the site object itself but not the underlying containers (NTDS Settings, Servers, Licensing) will be created.
Reason: ACL module: insufficient access rights
Will take a look, thanks.
Nadia, I've detected the problem:
The Sites container on Windows Server doesn't use the unmodified default security descriptor from the schema. It removes from it the "Domain Admins" full permission ACE and instead adds a special permission ACE for the "Enterprise Admins".
We will somehow need to match this behaviour - but no idea why MS chose to override the default security descriptor.
Well, I've managed to fix the security descriptor of the "CN=Sites" object we setting a manual one as it is apparently done also on Windows.
Now you are able to create sites when you are an enterprise administrator (member of "Enterprise Admins" group).
The membership of the "Domain Admins" group alone still doesn't work since there is a bug in the security descriptor inheritance: if you have the ONLY_INHERITED flag set then normally it isn't copied to the child objects (to illustrate this think at "this matters for all my children but not for me" then the children should say "this matters for all my own children and me").
Nadya would be nice if you could fix this in "create_descriptor.c".
The Inherit Only flag does not have any effect on whether the ACE is passed on to the children, it only means that the ACE does not apply to the current object, at least that is my understanding. Inheritance depends only on CI, OI or P flags. I will take a look of course but I do not think this is the issue...
Nadya: I've noticed that with commit 980f68a6f26070270313a4c7a4c0430f2bb3f078 the ACL inheritance behaviour changed. But now we differ even more from the "ideal" security descriptor for "CN=Sites" than before - so the inheritance is still somehow wrong.
Please assure yourself with an ldbsearch with attribute "nTSecurityDescriptor" against both s4 and Windows on CN=Sites,CN=Configuration,DC=...
Matthias: I am currently working to assure inheritance is correct. The commit you mention is absolutely necessary to provide correct behavior, as proven by the tests I included. The difference is caused by another issue I am currently fixing, and is not a result of the last commit.
Ah thanks - don't worry. I wanted only to publish my results from the last investigation.
(In reply to comment #8)
> Matthias: I am currently working to assure inheritance is correct. The commit
> you mention is absolutely necessary to provide correct behavior, as proven by
> the tests I included. The difference is caused by another issue I am currently
> fixing, and is not a result of the last commit.
I think we are done with this one.
Possibly there could be some way to later remove the from my side manually introduced "CN=Sites" descriptor - when Nadya has all differences fixed.