Samba4 and AD2003 have differences in nTSecurityDescriptors

Anatoliy Atanasov anatoliy.atanasov at postpath.com
Thu Apr 16 08:59:42 GMT 2009 

Hi Andrew,

I have notices incoherence between Samba4 and AD2003.
 The difference is in the nTSecurityDescriptor of the following object:
"CN=Partitions,CN=Configuration,DC=samba,DC=postpath,DC=com"

In case of AD2003 this object has 11 ACEs and in Samba4 its only one.
I am pointing at the ACE that is common with the AD2003 to show that basically its content is ok.
AD 2003:
	Ace[7]
		Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE
		Ace Size:  20 bytes
		Ace Flags: 0x0
		Ace Mask:  0x000f01ff
			DELETE
			READ_CONTROL
			WRITE_DAC
			WRITE_OWNER
			ACTRL_DS_CREATE_CHILD
			ACTRL_DS_DELETE_CHILD
			ACTRL_DS_LIST
			ACTRL_DS_SELF
			ACTRL_DS_READ_PROP
			ACTRL_DS_WRITE_PROP
			ACTRL_DS_DELETE_TREE
			ACTRL_DS_LIST_OBJECT
			ACTRL_DS_CONTROL_ACCESS
		Ace Sid:   NT AUTHORITY\SYSTEM S-1-5-18

Samba4:
	Ace[0]
		Ace Type:  0x0 - SEC_ACE_TYPE_ACCESS_ALLOWED
		Ace Size:  20 bytes
		Ace Flags: 0x0
		Ace Mask:  0x10000000
			SEC_GENERIC_ALL
		Ace Sid:   S-1-5-18

My problem is that in the Samba4 directory this ACE allows access only for the System account S-1-5-18, 
and the account that I am testing with is the Domain Administrator and the security check always fails with NT_STATUS_ACCESS_DENIED.

Is there a fix for this, or in other words what should be done to equalize the nTSecurityDescriptors.

Here is the back trace of calls, so you can have an idea when this check happened:
#3  0x0858cc9d in acl_search_callback (req=0x9433190, ares=0x93ecba8) at dsdb/samdb/ldb_modules/acl.c:936
#4  0x08536452 in ldb_module_send_entry (req=0x9433190, msg=0x9240bd8, ctrls=0x0) at lib/ldb/common/ldb_modules.c:648
#5  0x08550eeb in operational_callback (req=0x9485c50, ares=0x9121db8) at lib/ldb/modules/operational.c:217
#6  0x08536452 in ldb_module_send_entry (req=0x9485c50, msg=0x9240bd8, ctrls=0x0) at lib/ldb/common/ldb_modules.c:648
#7  0x0859f19e in extended_callback (req=0x9485d40, ares=0x9121d68) at dsdb/samdb/ldb_modules/extended_dn_out.c:395
#8  0x08536452 in ldb_module_send_entry (req=0x9485d40, msg=0x9240bd8, ctrls=0x0) at lib/ldb/common/ldb_modules.c:648
#9  0x08596809 in show_deleted_search_callback (req=0x94cf6b8, ares=0x9121ed8) at dsdb/samdb/ldb_modules/show_deleted.c:65
#10 0x08536452 in ldb_module_send_entry (req=0x94cf6b8, msg=0x9240bd8, ctrls=0x0) at lib/ldb/common/ldb_modules.c:648
#11 0x08597081 in partition_req_callback (req=0x94cf7f0, ares=0x9121e88) at dsdb/samdb/ldb_modules/partition.c:192
#12 0x08536452 in ldb_module_send_entry (req=0x94cf7f0, msg=0x9240bd8, ctrls=0x0) at lib/ldb/common/ldb_modules.c:648
#13 0x08594240 in ltdb_index_filter (dn_list=0x954bce0, ac=0x9446b88) at lib/ldb/ldb_tdb/ldb_index.c:1056
#14 0x0859454e in ltdb_search_indexed (ac=0x9446b88) at lib/ldb/ldb_tdb/ldb_index.c:1138
#15 0x085918c0 in ltdb_search (ctx=0x9446b88) at lib/ldb/ldb_tdb/ldb_search.c:538
#16 0x0859047a in ltdb_callback (ev=0x8aa4e08, te=0x9446be0, t={tv_sec = 0, tv_usec = 0}, private_data=0x9446b88) at lib/ldb/ldb_tdb/ldb_tdb.c:1124
#17 0x089063e4 in tevent_common_loop_timer_delay (ev=0x8aa4e08) at ../lib/tevent/tevent_timed.c:254
#18 0x08908f62 in std_event_loop_once (ev=0x8aa4e08, location=0x89c84d1 "lib/ldb/common/ldb.c:477") at ../lib/tevent/tevent_standard.c:537
#19 0x0890551b in _tevent_loop_once (ev=0x8aa4e08, location=0x89c84d1 "lib/ldb/common/ldb.c:477") at ../lib/tevent/tevent.c:488
#20 0x0852dcb0 in ldb_wait (handle=0x8c33da8, type=LDB_WAIT_ALL) at lib/ldb/common/ldb.c:477
#21 0x0852f0a2 in ldb_search (ldb=0x9022210, mem_ctx=0x94b9798, result=0xbfffeb84, base=0x94b97d0, scope=LDB_SCOPE_BASE, attrs=0x8a8f21c, exp_fmt=0x0)
    at lib/ldb/common/ldb.c:1109
#22 0x08551355 in naming_fsmo_init (module=0x94b9700) at dsdb/samdb/ldb_modules/naming_fsmo.c:68
#23 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x94b9700) at lib/ldb/common/ldb_modules.c:383
#24 0x08599dfc in partition_init (module=0x8e27858) at dsdb/samdb/ldb_modules/partition.c:1343
#25 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x8e27858) at lib/ldb/common/ldb_modules.c:383
#26 0x08536152 in ldb_next_init (module=0x8e27858) at lib/ldb/common/ldb_modules.c:583
#27 0x08596ac3 in show_deleted_init (module=0x8ae8648) at dsdb/samdb/ldb_modules/show_deleted.c:152
#28 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x8ae8648) at lib/ldb/common/ldb_modules.c:383
#29 0x08536152 in ldb_next_init (module=0x8ae8648) at lib/ldb/common/ldb_modules.c:583
#30 0x0859f73a in extended_dn_out_ldb_init (module=0x8efc278) at dsdb/samdb/ldb_modules/extended_dn_out.c:561
#31 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x8efc278) at lib/ldb/common/ldb_modules.c:383
#32 0x08536152 in ldb_next_init (module=0x8f429f0) at lib/ldb/common/ldb_modules.c:583
#33 0x085511c4 in operational_init (ctx=0x91f24b0) at lib/ldb/modules/operational.c:307
#34 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x91f24b0) at lib/ldb/common/ldb_modules.c:383
#35 0x08536152 in ldb_next_init (module=0x9735808) at lib/ldb/common/ldb_modules.c:583
#36 0x0858c1a9 in acl_module_init (module=0x8eadef8) at dsdb/samdb/ldb_modules/acl.c:715
#37 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x8eadef8) at lib/ldb/common/ldb_modules.c:383
#38 0x08536152 in ldb_next_init (module=0x8eadef8) at lib/ldb/common/ldb_modules.c:583
#39 0x085a2663 in samldb_init (module=0x92b83e0) at dsdb/samdb/ldb_modules/samldb.c:1408
#40 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x92b83e0) at lib/ldb/common/ldb_modules.c:383
#41 0x08536152 in ldb_next_init (module=0x8c96428) at lib/ldb/common/ldb_modules.c:583
#42 0x0854f1a0 in asq_init (module=0x8c96470) at lib/ldb/modules/asq.c:399
#43 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x8c96470) at lib/ldb/common/ldb_modules.c:383
#44 0x08536152 in ldb_next_init (module=0x8c96470) at lib/ldb/common/ldb_modules.c:583
#45 0x0854643d in server_sort_init (module=0x96d72f8) at lib/ldb/modules/sort.c:342
#46 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x96d72f8) at lib/ldb/common/ldb_modules.c:383
#47 0x08536152 in ldb_next_init (module=0x8c920a8) at lib/ldb/common/ldb_modules.c:583
#48 0x0859d24c in paged_request_init (module=0x96b3028) at lib/ldb/modules/paged_results.c:415
#49 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x96b3028) at lib/ldb/common/ldb_modules.c:383
#50 0x08536152 in ldb_next_init (module=0x96b3028) at lib/ldb/common/ldb_modules.c:583
#51 0x085a7d27 in rootdse_init (module=0x8ddd740) at dsdb/samdb/ldb_modules/rootdse.c:414
#52 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x8ddd740) at lib/ldb/common/ldb_modules.c:383

More information about the samba-technical mailing list