Samba 2.2.0 problems editing ACLs via NT/Win9x

Thu Jun 7 16:34:25 GMT 2001

On Thu, 7 Jun 2001, Jim McDonough wrote:

> structure, instead of 2 or 3 on NT).  Here's how I think the request goes
> (borrowing names from other structs in rpc_srvsvc.h):
> uint32  ptr_srv_name;
> UNISTR2 uni_srv_name;
> align to 4 bytes
> uint32  ptr_qual_name;
> UNISTR2 uni_qual_name;
> align to 4 bytes
> UNISTR2 uni_file_name;
> align to 4 bytes
> uint32 unknown; (is 0x00000007 in all my test cases)
> uint32 unknown; (I've only seen 0)
> uint32 unknown; (I've only seen 0)
> uint16 unknown; (my guess is a status code, but others' experiences would
> be appreciated here, only seen 0)
> align to 4 bytes

a status is really strange in a query !

and an alignment at the end of a struct is even more strange.

Rule of thumb: you align BEFORE the data you want to marshall.

> The response gives me more trouble:
> uint32 ?; some kind of pointer
> uint32 a_size; size of the whole response;
> uint32 ?; another pointer
> uint32 b_size; size of the whole response, again..? At least in my cases

yep that's normal rpc marshall/unmarshall mecanism for an array.

> then it gets kind of fuzzy for me...here's what I get next (actual data):
> 01 00 04 80 14 00 00 00 24 00 00 00 00 00 00 00  (the 4th byte was 84
> sometimes)
> 40 00 00 00 01 02 00 00 00 00 00 05 20 00 00 00
> 20 02 00 00 01 05 00 00 00 00 00 05 15 00 00 00
> F8 9F B4 74 DB EB 0C 50 83 BA F4 7F 01 02 00 00
> 02 00

I can decrypt at least 2 SID above. 

1-0x5-0x20-0x0220
1-0x5-0x15-0x74b49ff8-0x500cebdb-7ff4ba83

> then comes:
> uint16 c_size; size of what remains in the response
> uint16 num_entries; the number of entries to follow
> then one entry for each line on the permissions dialog, and the entry for
> "Everyone - full control" is definitely:
> 00 00 00 00
> 14 00 FF 01 1F 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 00 00
> though I'm not sure if that first dword of zeroes is with that entry or
> before it or exactly what.
> 
> For example, this is the set of 3 entries, one is "Everyone -full control",
> one is read-write, one is read-only:
> 64 00 bytes following
> 03 00 number of entries
> 
> 00 00 00 03
> 24 00 BF 01 13 00 01 05 00 00 00 00 00 05 15 00 00 00 F8 9F B4 74 DB EB 0C
> 50 83 BA
> F4 7F E8 03
> 
> 00 00 00 03
> 24 00 A9 00 12 00 01 05 00 00 00 00 00 05 15 00 00 00 21 3E ED 46 59 33 84
> 3B 39 B0
> 9A 66 1A 0D
> 
> 00 00 00 10
> 14 00 FF 01 1F 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 00 00

3 SIDs, could be the attribute just before.

> 
> Any help on what things might mean would be great (yes, I see the uint16
> that is the size of each entry, but beyond that I'm an idiot).

can you send the full hexadecimal query and reply ?

	J.F.