Полезные фильтры для LDAP запросов в AD

https://podalirius.net/en/articles/useful-ldap-queries-for-windows-active-directory-pentesting/

List all users

To do this we select all the users ((objectClass=user)) and all the people ((objectClass=person)) of the LDAP:

(&(objectCategory=person)(objectClass=user))  

List of all kerberoastables users

To do this we select all the users ((objectClass=user)) having a Service Principal Name (SPN) defined ((servicePrincipalName=*)) and we remove from our results:

• The user krbtgt (which by definition has an SPN) with the filter (!(cn=krbtgt)).
• Disabled users, with the filter (!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Which gives us:

(&(objectClass=user)(servicePrincipalName=*)(!(cn=krbtgt))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))  

List of all asrep-roastables users

To do this we select all the users ((objectClass=user)) that have "Do not require Kerberos preauthentication" flag set in their userAccountControl:

(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))  

Find all Users that need to change password on next login.

(&(objectCategory=user)(pwdLastSet=0))  

Find all Users that are almost Locked-Out

(&(objectCategory=user)(badPwdCount>=4))  

Find all Users with *pass* or *pwd* in their description

(&(objectCategory=user)(|(description=*pass*)(description=*pwd*)))  

List of all users protected by adminCount

The adminCount attribute specifies that a given object has had its access control lists (ACLs) changed to a more secure value by the Active Directory system because it is a member of one of the administrative groups, either directly or transitively.

(&(objectCategory=user)(adminCount=1))  

Groups

List all groups

(objectCategory=group)  

List of all groups protected by adminCount

The adminCount attribute specifies that a given object has had its access control lists (ACLs) changed to a more secure value by the Active Directory system because it is a member of one of the administrative groups, either directly or transitively.

(&(objectCategory=group)(adminCount=1))  

Services

Listing all servicePrincipalName

(servicePrincipalName=*)  

Listing specific services from their servicePrincipalName

To list specific services, we can use the beginning of the servicePrincipalName attribute:

(servicePrincipalName=http/*)  

Here is a few examples of servicePrincipalName:

• ldap/DC01.LAB.local
• kadmin/changepw (of kerberos service CN=krbtgt,CN=Users,DC=LAB,DC=local)
• MSSQLSvc/DC01.LAB.local

Computers

Listing all computers with a given Operating System

For example to list all the machines under Windows XP:

(&(objectCategory=Computer)(operatingSystem=Windows XP*))  

With operatingSystem in:

• Windows Server 2022*
• Windows Server 2019*
• Windows Server 2016*
• Windows Server 2008*
• Windows 11*
• Windows 10*
• Windows 8*
• Windows 7*
• Windows Vista*
• Windows XP*
• Windows Server 2003*
• Windows 2000*

Find all Workstations

(sAMAccountType=805306369)  

Find all computers having a KeyCredentialLink

This is useful to check for shadow credentials on machine accounts:

(&(objectClass=computer)(msDS-KeyCredentialLink=*))  

Find all computers having an Obsolete OS

(&(objectCategory=Computer)(|(operatingSystem=Windows 2000*)(operatingSystem=Windows Vista*)(operatingSystem=W

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

WSL ansible и правильные права на локальные диски

Linux права на диске C или D
Create this file in your wsl: /etc/wsl.conf

Content:

[automount]
enabled = true
mountFsTab = false
root = /mnt/
options = "metadata,umask=22,fmask=11"

[network]
generateHosts = true
generateResolvConf = true

After that all /mnt/c/foo will have different folder permissions (not 777 any more) and you will be able to use chmod.
It requires you to have the latest WSL as far as I know.

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

Анало ipconfig registerdns в Linux

COMP=$(hostname -s)

DOM=$(hostname -d)

IP=$(hostname -i | cut -f1 -d' ')

DC=$(dig +short m48.dzm | head -n 1)

cat > /var/tmp/nsupdate.txt << EOF

server $DC

zone $DOM

update add ${COMP}.${DOM} 86400 A ${IP}

show

send

EOF

cat /var/tmp/nsupdate.txt

kdestroy

kinit -k ${COMP^^}\$

klist

nsupdate -g -v /var/tmp/nsupdate.txt

pxe boot grub efi legacy bios

grub-mkimage -d /usr/lib/grub/i386-pc/ -O i386-pc-pxe -o ./booti386 -p '(tftp)/grub' pxe tftp
grub-mkimage -d /usr/lib/grub/x86_64-efi/ -O x86_64-efi -o ./bootx64.efi -p '(tftp)/grub' efinet tftp
cp -r /usr/lib/grub/x86_64-efi
and after '/usr/lib/grub/x86_64-efi'
ion.
cp -r /usr/lib/grub/x86_64-efi ./
cp -r /usr/lib/grub/i386-pc ./

grub/grub.cfg

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

kickstart для минимальной установки redos для шаблона proxmox

url --url=http://192.168.126.5/pub/iso/redos/7.3

lang en_US

keyboard --xlayouts='us'

timezone Europe/Moscow

zerombr

clearpart --all --initlabel

bootloader --location=mbr --append="net.ifnames=0"

autopart --type=plain

network --bootproto=dhcp --device=link --activate --onboot=on

firstboot --disable

#selinux

#selinux --enforcing

selinux --permissive

#selinux --disabledfirewall --enabled --ssh

#firewall

#firewall --enabled

firewall --disabled

authconfig --enableshadow --passalgo=sha512

#rootpw --plaintext redos --lock

rootpw --lock

#user --name=redos --groups=wheel --password=redos --gecos="defaultuser"

#sshkey --username=appc "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA7YUTXCKAMavLy98/Kep6eDKK2NyVEc/kUklZUbBubg4DfFHDO2KDXtFN7uq8HPcYR7uqFLqkRijhBwJbnPGLpp2mA+iOHLpJvD/tGpDyNt/ImM0hQG3+dzPLtvzc9Ln5mY2RUfOUTFEx7dqGVuwPQXMhZLCEkpIcGicPTpdG0CIu/GdELUtwgrZZ+reNXMG82VnFBVDZObL7H1YsmrgyyWBUMAzwf+EeUFk9Q4k8qsV8utONo3AvscaESxyt5UDvVuV7PrPxp28a03k9ybMMrXjPzuEaM2P0pxGT0VsIoR/fG78MwkSPTveX0QgDU4gBihOAcH2/2WHGBE+1pr9saw== appc@appc-pc"

#sshkey --username=root "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA7YUTXCKAMavLy98/Kep6eDKK2NyVEc/kUklZUbBubg4DfFHDO2KDXtFN7uq8HPcYR7uqFLqkRijhBwJbnPGLpp2mA+iOHLpJvD/tGpDyNt/ImM0hQG3+dzPLtvzc9Ln5mY2RUfOUTFEx7dqGVuwPQXMhZLCEkpIcGicPTpdG0CIu/GdELUtwgrZZ+reNXMG82VnFBVDZObL7H1YsmrgyyWBUMAzwf+EeUFk9Q4k8qsV8utONo3AvscaESxyt5UDvVuV7PrPxp28a03k9ybMMrXjPzuEaM2P0pxGT0VsIoR/fG78MwkSPTveX0QgDU4gBihOAcH2/2WHGBE+1pr9saw== appc@appc-pc"

%packages --multilib --ignoremissing

@Core

cloud-init

qemu-guest-agent

#net if name eth0 net.ifnames=0

-biosdevname

%end

#%post --nochroot --erroronfail --log=/tmp/ks-post.log

%post --erroronfail --log=/tmp/ks-post.log

echo post $(pwd)

#rootdir="/mnt/sysimage"

rootdir=""

echo issue

echo "\4" >> $rootdir/etc/issue

echo "\6" >> $rootdir/etc/issue

echo "" >> $rootdir/etc/issue

echo sudo

#echo "redos ALL:(ALL) NOPASSWD:ALL" > /etc/sudoers.d/redos

cat > $rootdir/etc/cloud/cloud.cfg.d/90-redos.cfg << EOF

datasource_list: [ NoCloud, ConfigDrive, None ]

runcmd:

  - rm -f /etc/machine-id

  - systemd-machine-id-setup

# System and/or distro specific settings

# (not accessible to handlers/transforms)

system_info:

   # This will affect which distro class gets used

   distro: redos

   # Default user name + that default users groups (if added/used)

   default_user:

     name: redos

     lock_passwd: True

     gecos: RedOS Cloud User

     groups: [wheel]

     sudo: ["ALL=(ALL) NOPASSWD:ALL"]

     shell: /bin/bash

   # Other config here will be given to the distro class and/or path classes

   paths:

      cloud_dir: /var/lib/cloud/

      templates_dir: /etc/cloud/templates/

   network:

      renderers: ['netplan', 'networkd', 'etcnet']

   ssh_svcname: sshd

EOF

%end

services --enabled=cloud-init,cloud-config,cloud-final,cloud-init-local

#метод завершения установки

#reboot

shutdown

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

Посмотреть список адресов в табличном виде powershell

ForEach-Object { Get-NetIPAddress -AddressFamily ipv4 } | Format-Table InterfaceIndex,InterfaceAlias,IPAddress

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

VYOS 1.5 qcow2

Собирал на ВМ с Debian 12

https://codingpackets.com/blog/vyos-qemu-image-build/

https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202312191154/vyos-1.5-rolling-202312191154-amd64.iso

sudo ansible-playbook qemu.yml \
   -e disk_size=10 \
   -e cloud_init=true \
   -e cloud_init_ds=NoCloud,ConfigDrive,None \
   -e guest_agent=qemu \
   -e keep_user=false \
   -e enable_ssh=true \
   -e iso_local=/home/appc/vyos-1.5-rolling-202312191154-amd64.iso

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

SSTP + DST NAT NGINX APACHE share tcp 443

Взято вот туть:

https://forum.mikrotik.com/viewtopic.php?f=9&t=134358#

/interface sstp-server server set certificate=vpn.company.com.crt_0 enabled=yes port=10443
# добавим в список sstp-conn пакеты пришедшие на порт 443 для tls-host

/ip firewall mangle add \

action=add-src-to-address-list \

address-list=sstp-conn \
address-list-timeout=5s \

chain=prerouting \
dst-address-type=local \

dst-port=443 \

protocol=tcp \
tls-host=vpn.company.com

#отправим все пакеты заменим порт назначения 443 на порт 10443 в пакетах пришедших с адресов из списка sstp-vpn
/ip firewall nat add \

action=dst-nat \

chain=dstnat \

dst-address-type=local \
dst-port=443 \

protocol=tcp \

src-address-list=sstp-conn \
to-ports=10443

# правило для публикации веб сервера

/ip firewall nat add \

action=dst-nat \

chain=dstnat \

dst-address-type=local \
dst-port=80,443 \

protocol=tcp \

to-addresses=192.168.88.2

# чтобы наше правило в таблице mangle работало каждый раз, надо модифицировать fasttrack

# отключим fasttrack для пакетов идущих на адрес 443 (правило должно быть выше в списке чем правило fasttrack

/ip firewall filter add chain=forward dst-port=443 connection-state=established,related
# или будем fasttrack только те соединения которые уже набрали хотя бы 10 килобайт, тогда надо заменить правло с fasttrack

/ip firewall filter add action=fasttrack-connection chain=forward connection-bytes=10240-0 connection-state=established,related

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

Добавить открытый ssh ключ пользователю на микротике

#add ssh pub key to user
:local username "aratner";
:local userpubkey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8z/rBphuDpGKHpcDtWDISCZFWybdH3fSKzVxWouLG0JuEhqZSpJT9Hd+16teA8daRPb1gY+l9+mRnCqTVDKxpnMq7jkjlfNKQPunDHhr3u7JDjeBel2JrgXs/GANMSbxyC5aRNP7XYs4TooRDUFr0XXvdglcYyP+34I0M+p9m94taK1q5FtL+JrpRXXGnhYzQn/GaV0rM9Qj21GFVWPfuqqG8wWwhaYPkeibJNhMcBy+qKRK0fIiklv68fWmIwd0Os9qEAJ4XTuVP8yfKR/Cu1hXPm/4+9JfXaw3Lh9e/J54NkRcyeT3wb0BgOpXMXnexl6HTUK59EcMaLGEaU+4F aratner@croc.ru";
#create file
/file print file="$username_sshpubkey";
#create file with key
/file set "$username_sshpubkey.txt" contents="$userpubkey";
#set key for user
/user ssh-keys import user="$username" public-key-file="$username_sshpubkey.txt";

#mkirotik #ssh

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

gnome chrome dock

Создаём для каждого профиля "ярлык"

chrome-profile-name=gmail-chrome

cat > $HOME/Desktop/$chrome-profile-name.desktop << EOF
[Desktop Entry]
Version=1.0
Name=$chrome-profile-name
GenericName=$chrome-profile-name
Exec=/usr/bin/google-chrome --user-data-dir=$HOME/$chrome-profile-name  --class="$chrome-profile-name"
Icon=$HOME/$chrome-profile-name/icon.png
StartupWMClass=$chrome-profile-name
Comment=Chromium Alternate
Terminal=false
X-MultipleArgs=false
Type=Application
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml_xml;x-scheme-handler/http;x-scheme-handler/https;
StartupNotify=true
Actions=NewWindow;Incognito;TempProfile;
X-AppInstall-Package=chromium-browser
EOF

Это нужно, чтобы хромы запущенные с разными профилями вели себя как разные приложения в доке.

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

netboot.xyz podman

storage="/rpool/containers"
newpodname="netbootxyz"
newpodlocalpath="$storage/$newpodname"

mkdir -p $newpodlocalpath/{config,assets}

podman run -d \
  --name=$newpodname-app \
  -p 3000:3000                       `# sets webapp port` \
  -p 69:69/udp                       `# sets tftp port` \
  -p 8069:80                         `# optional` \
  -v $newpodlocalpath/config:/config   `# optional` \
  -v $newpodlocalpath/assets:/assets   `# optional` \
  --restart unless-stopped \
  docker.io/netbootxyz/netbootxyz

cd /etc/systemd/system
podman generate systemd --files --name ${ $newpodname}-app
systemctl daemon-reload
systemctl enable container-${newpodname}-app
systemctl stop  container-${newpodname}-app
systemctl start  container-${newpodname}-app

#    -e MENU_VERSION=2.0.59             `# optional` \
#  --pod=$newpodname \

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

nexus podman

storage="/rpool/containers"
newpodname="nexus"
newpodlocalpath="$storage/$newpodname"

podman pod create \
  --name $newpodname \
  -p 8081:8081

mkdir -p "$newpodlocalpath/data"
chown -R 200:200 "$newpodlocalpath/data"
podman run -d \
  --pod $newpodname \
  --name $newpodname-app \
  -v $newpodlocalpath/data:/nexus-data \
  docker.io/sonatype/nexus3

cd /etc/systemd/system
podman generate systemd --files --name ${newpodname}
systemctl daemon-reload
systemctl enable pod-${newpodname}
systemctl stop pod-${newpodname}
systemctl start pod-${newpodname}

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

Nginx Proxy Manager podman

storage="/rpool/containers"
newpodname="npm"
newpodlocalpath="$storage/$newpodname"
newpodmysqldb="npmdb"
newpodmysqluser="npmuser"
newpodmysqlpass="FdGawCetmok4"

podman pod create \
  --name $newpodname \
  -p 80:80 \
  -p 443:443 \
  -p 81:81

mkdir -p "$newpodlocalpath/data"
mkdir -p "$newpodlocalpath/letsencrypt"
podman run -d \
  --name=${newpodname}-npm \
  --pod=${newpodname} \
  -e DB_SQLITE_FILE=/data/database.sqlite \
  -e DISABLE_IPV6='true' \
  -v $newpodlocalpath/data:/data \
  -v $newpodlocalpath/letsencrypt:/etc/letsencrypt \
  docker.io/jc21/nginx-proxy-manager:latest

cd /etc/systemd/system
podman generate systemd --files --name ${newpodname}
systemctl daemon-reload
systemctl enable pod-${newpodname}
systemctl stop pod-${newpodname}
systemctl start pod-${newpodname}

version: '3.8'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
      # Add any other Stream port you want to expose
      # - '21:21' # FTP

    # Uncomment the next line if you uncomment anything in the section
    # environment:
      # Uncomment this if you want to change the location of
      # the SQLite DB file within the container
      # DB_SQLITE_FILE: "/data/database.sqlite"

      # Uncomment this if IPv6 is not enabled on your host
      # DISABLE_IPV6: 'true'

    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

Почему "геймерские" клавы не работают с КВМ свичом

Ответ нашёлся тут:

https://superuser.com/questions/1558951/why-dont-gaming-keyboards-typically-work-with-kvm-switches

USB keyboard protocol is limited to 6 keys pressed simultaneously + 3 modifier keys. To bypass this limitation, some keyboards report to the computer as a USB hub with multiple keyboards connected to it.

If your KVM switch was just directly passing through its USB port to the active computer, it would work fine, but this approach has two disadvantages:

You can't switch computers using keyboard shortcuts because the KVM doesn't interact with the keyboard, or whatever else is connected to USB.
Switching between computers disconnects USB device from one computer and connects it to the other. This will trigger USB (dis)connection sounds and may cause a short delay until devices start working after the switch.
To solve these problems, switches take over keyboard communication and pretend to be a permanently connected keyboard for each computer. Keystrokes are passed through to active computer or intercepted if they're recognized by the KVM as a special command.

For this feature to work, the connected device must actually be a keyboard - KVM doesn't implement complete USB protocol including hub support. So if the keyboard reports as a hub, the KVM may not know what to do with it.

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

samba-tool delegation

Делегировать группе полные права на OU

OUDN="OU=_OU3,DC=alt,DC=aratner,DC=ru"

GROUPSID=""

samba-tool dsacl set --objectdn=$OUDN --sddl="(OA;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;$GROUPSID)"

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

Делегирование АД

https://blog.stevecoinc.com/2017/04/delegating-domain-join-privileges-in.html?m=1

Delegating domain join privileges in Samba 4 from the command line (or not)

I'm trying to solve a bit of a mystery. I'd like to set up Samba 4 without using Windows. Most things seem to be possible, but I can't figure out how to delegate domain join privileges. Unfortunately, even the official documentation specifically references ADUC.

So I did some digging into what it would take to delegate domain join privileges without a Windows system. After several dead ends, I ran across this page: https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=48

The important bit of that page is this script that uses the Windows command-line tool dsacls:

$user = 'gps\SCCM Client Computer Joiners'  $ou = 'OU=SCCM Test Clients,OU=SCCM,OU=Service,OU=Company,DC=gopas,DC=virtual'    DSACLS $ou /R $user    DSACLS $ou /I:S /G "$($user):GR;;computer"  DSACLS $ou /I:S /G "$($user):CA;Reset Password;computer"  DSACLS $ou /I:S /G "$($user):WP;pwdLastSet;computer"  DSACLS $ou /I:S /G "$($user):WP;Logon Information;computer"  DSACLS $ou /I:S /G "$($user):WP;description;computer"  DSACLS $ou /I:S /G "$($user):WP;displayName;computer"  DSACLS $ou /I:S /G "$($user):WP;sAMAccountName;computer"  DSACLS $ou /I:S /G "$($user):WP;DNS Host Name Attributes;computer"  DSACLS $ou /I:S /G "$($user):WP;Account Restrictions;computer"  DSACLS $ou /I:S /G "$($user):WP;servicePrincipalName;computer"  DSACLS $ou /I:S /G "$($user):CC;computer;organizationalUnit"

samba-tool has a subcommand dsacl set that I thought might be able to accomplish the same task. After a lot of work trying to get the arguments correct, I got to this point:

[root@dc1 ~]# samba-tool dsacl set --action=allow --objectdn='cn=Computers,dc=samba4,dc=local' --trusteedn='cn=Domain Join,cn=Users,dc=samba4,dc=local' --sddl='GR;;computer' --realm=SAMBA4.LOCAL -U administrator --password="$( cat /root/.password )"
new descriptor for cn=Computers,dc=samba4,dc=local:
O:DAG:DAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to parse SDDL
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/dsacl.py", line 174, in run
    self.add_ace(samdb, objectdn, new_ace)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/dsacl.py", line 129, in add_ace
    desc = security.descriptor.from_sddl(desc_sddl, self.get_domain_sid(samdb))

So... I think the arguments to dsacls are some kind of "friendly" names that resolve to UUIDs or SIDs or something on the back end, but I can't figure out how to do the mapping.

Appreciating you putting your thoughts out there. This helped me get started on the problem and I think I figured it out. I ended up using the Windows GUI to make the delegation per Samba's instructions and compared the changes before/after to get this:

SID="GroupSIDHere"
samba-tool dsacl set --action=allow --objectdn='cn=Computers,dc=directory,dc=example,dc=com' --sddl="(OA;CI;CCDC;BF967A86-0DE6-11D0-A285-00AA003049E2;;$SID)(OA;CIIO;SWWP;F3A64788-5306-11D1-A9C5-0000F80367C1;BF967A86-0DE6-11D0-A285-00AA003049E2;$SID)(OA;CIIO;SWRPWP;72E39547-7B18-11D1-ADEF-00C04FD8D5CD;BF967A86-0DE6-11D0-A285-00AA003049E2;$SID)(OA;CIIO;RPWP;4C164200-20C0-11D0-A768-00AA006E0529;BF967A86-0DE6-11D0-A285-00AA003049E2;$SID)(OA;CIIO;CR;00299570-246D-11D0-A768-00AA006E0529;BF967A86-0DE6-11D0-A285-00AA003049E2;$SID)"

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090

letsencrypt mikrotik

:local dnsName vpn.dom.ru
:local certName "$dnsName.cer"
:local certFullChain "$certName,1_.cer,0_.cer"
:local ipsecIdentityComment $dnsName
:local Comment letsencrypt

log info "[LE] enable www"
/ip/service/enable www
/ip/firewall/filter/enable [ find where comment="letsencrypt" ]

log info "[LE] updating cert for $dnsName"
/certificate enable-ssl-certificate dns-name=$dnsName

:log info "[LE] disable www"
/ip/service/disable www
/ip/firewall/filter/disable [ find where comment="letsencrypt" ]

:log info "[LE] rename cert to $certName "
/certificate/set numbers=[/certificate/find where common-name=$dnsName] name="$certName"
:log info "[LE] setup cert for sstp server"
/interface/sstp-server/server/set certificate="$certName"
:log info "[LE] setup cert for ipsec identity"
/ip/ipsec/identity/set numbers=[find where comment=$ipsecIdentityComment] certificate=$certFullChain

Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090