Bug 9872 - reset-well-known-acls don't reset on all containers
Summary: reset-well-known-acls don't reset on all containers
Status: NEW
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.0.5
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Blocks: 11924
  Show dependency treegraph
Reported: 2013-05-08 15:47 UTC by Marc Muehlfeld
Modified: 2022-09-06 22:08 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2013-05-08 15:47:05 UTC

I was playing around with permissions on the directory in my test environment and saw the following:

In ADUC I added a group (account operators) to the security tab of the container CN=System (default permissions read). Then I run

# samba-tool dbcheck --reset-well-known-acls --fix
Checking 867 objects
Reset nTSecurityDescriptor on CN=System,DC=muc,DC=medizinische-genetik,DC=de back to provision default?
        Part dacl is different between reference and current here is the detail:
                (A;;RPLCRC;;;AO) ACE is not present in the reference
 [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=System,DC=muc,DC=medizinische-genetik,DC=de'

Checked 867 objects (1 errors)

This is correct. On CN=System is something that isn't default and I let samba-tool fix it to reset to it's original state. In ADUC, the group I had added is gone now. Also correct.

But now I add the same group, but just to CN=RpcServices,CN=System. Now dbcheck finds nothing to reset:

# samba-tool dbcheck --reset-well-known-acls --fix
Checking 867 objects
Checked 867 objects (0 errors)

I have no way to get back to the initial state if I don't remember what changes I made in that subtree.
Comment 1 Marc Muehlfeld 2013-05-08 16:24:54 UTC
Changes that are detected by 'reset-well-known-acls' and can be resetted to their defaults are on the following containers:
- All self created OUs
- Users
- Computers
- Builtin
- Domain Controllers

Not detected are ACL changes on (and below)
- ForeignSecurityPrincipals
- LostAndFound
- Program Data
- System
- NTDS Quotas
Comment 2 Andrew Bartlett 2013-05-08 19:00:27 UTC
Correct, this tool was only designed to correct the situation where the wrong ACL was applied by default to releases before 4.0.4.  We reset the ACLs that are initialised as specific values on specific distinguished names, but we don't reset ACLs that default from the schema.

The samba_upgradeprovision code has code to do this, and indeed the reason I started to mistrust it was that it was doing so by default, due to an error detecting the Samba versions.
Comment 3 Marc Muehlfeld 2013-05-08 20:55:18 UTC
I'm sorry. Then I misunderstood the parameter. Thanks for clarifying.

I interpreted the --help, that it will reset all ACLs back to default, expecially, because changes I made (like delegations) are also removed.

Maybe you can add some more information to the --help output, to make it more clear or add this parameter with your description to the 'samba-tool' man-page.
Comment 4 Samba QA Contact 2022-09-06 22:08:19 UTC
This bug was referenced in samba master: