New acl module and workstation trying to upgrade some information

Matthieu Patou mat+Informatique.Samba at matws.net
Thu Dec 3 06:33:53 MST 2009


Hello nadya,

Here is a way to trigger the behavior

* have a workstation that has joined a s4 domain
* net export keytab mydom.keytab
* kinit -t mydom.keytab -k workstation$
* ldbmodify -H ldap://ad_server_name  -k 1 
--controls=permissive_modify:0 /tmp/ldif


Content of /tmp/ldif

dn: CN=workstation_name,CN=Computers,DC=foo,DC=bar
changetype: modify
replace: msDS-SupportedEncryptionTypes
msDS-SupportedEncryptionTypes: 31

You should get something like:

ERR: "LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: 
insufficient access rights> <>" on DN 
CN=workstation,CN=Computers,DC=foo,DC=bar
Modified 0 records with 1 failures


As said on IRC it's not at all a critical bug it's just that the server 
can't update the attribute which is in fact used to say: I can support 
AES (well a bit more than this ...).

Matthieu.

On 03/12/2009 13:02, Nadezhda Ivanova wrote:
> Hi Matthieu,
> It would seem that we have a bug either when handling property sets, or when handling PRINCIPAL_SELF. I have never tested the PRICIPAL_SELF case so its very possible something doesn't work right there. Thanks for the update, as I wrote, I will take a loot at this next week.
>
> Regards,
> Nadya
> ----- Original Message -----
>> From: samba-technical-bounces at lists.samba.org<samba-technical-bounces at lists.samba.org>
>> To: samba-technical at lists.samba.org<samba-technical at lists.samba.org>, Matthieu Patou<mat at matws.net>
>> Sent: Wednesday, December 2, 2009 10:42:49 PM GMT+0200 Europe;Athens
>> Subject: Re: New acl module and workstation trying to upgrade some information
>
>>> Nadya,
>> I had a closer look
>>
>> This attribute at the difference of DNS-Host-Name (for instance) do
>> not
>> have a dedicated right-guid but has an attribute GUID it described
>> like
>> a right-guid but which applies to more than one attribute
>> (http://msdn.microsoft.com/en-us/library/cc220121%28PROT.10%29.aspx)
>> It turns out that when that the SDDL grant the right to write to the
>> object itself:
>> (OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)
>>
>> Do we implement the check for this ?
>>
>> Matthieu.
>>
>>   >  On 02/12/2009 20:42, Matthieu Patou wrote:
>>> Hello nadya,
>>>
>>> As we discussed this a few months ago workstation and server (ie.
>>> windows 2008) is trying to update some attributes through LDAP when
>> it
>>> starts.
>>>
>>> After upgrading I'm still having messages like
>>> Failed to modify SPNs on CN=w2k8,CN=Computers,DC=smb4,DC=tst: error
>> in
>>> module acl: insufficient access rights (50)
>>>
>>> Here is the SD of this server:
>>>
>>>
>> O:DOMSID-512G:DOMSID-513D:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DOMSID-512
>> )
>>> (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)
>>> (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
>>> (A;;RPCRLCLORCSDDT;;;DOMSID-512)
>>> (A;IO;RPCRLCLORCSDDT;;;CO)
>>> (OA;;WP;4c164200-20c0-11d0-a768-00aa006e0529;;DOMSID-512)
>>> (OA;IO;WP;4c164200-20c0-11d0-a768-00aa006e0529;;CO)
>>> (A;;RPLCLORC;;;AU)
>>> (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)
>>> (A;;CCDC;;;PS)
>>> (OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)
>>> (OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;DOMSID-517)
>>> (OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS)
>>> (OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)
>>> (OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;PS)
>>> (OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;DOMSID-512)
>>> (OA;IO;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;CO)
>>> (OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;DOMSID-512)
>>> (OA;IO;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;CO)
>>>
>> (OA;;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00
>> aa003049e2;DOMSID-512)
>>>
>>>
>> (OA;IO;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-
>> 00aa003049e2;CO)
>>>
>>>
>> (OA;;WP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-0de6-11d0-a285-00
>> aa003049e2;DOMSID-512)
>>>
>>>
>> (OA;IO;WP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-0de6-11d0-a285-
>> 00aa003049e2;CO)
>>>
>>>
>> (OA;;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00
>> aa003049e2;DOMSID-512)
>>>
>>>
>> (OA;IO;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-
>> 00aa003049e2;CO)
>>>
>>>
>> (OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00
>> aa003049e2;DOMSID-512)
>>>
>>>
>> (OA;IO;WP;bf967953-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-
>> 00aa003049e2;CO)
>>>
>>> (OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)
>>>
>> (OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9
>> b07-ad6f015e5f28;RU)
>>>
>>>
>> (OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a
>> 285-00aa003049e2;RU)
>>>
>>>
>> (OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9
>> b07-ad6f015e5f28;RU)
>>>
>>>
>> (OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a
>> 285-00aa003049e2;RU)
>>>
>>>
>> (OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9
>> b07-ad6f015e5f28;RU)
>>>
>>>
>> (OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a
>> 285-00aa003049e2;RU)
>>>
>>>
>> (OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9
>> b07-ad6f015e5f28;RU)
>>>
>>>
>> (OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a
>> 285-00aa003049e2;RU)
>>>
>>>
>> (OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9
>> b07-ad6f015e5f28;RU)
>>>
>>>
>> (OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a
>> 285-00aa003049e2;RU)
>>>
>>>
>> (OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a
>> 285-00aa003049e2;ED)
>>>
>>>
>> (OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a
>> 285-00aa003049e2;ED)
>>>
>>>
>> (OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a
>> 285-00aa003049e2;ED)
>>>
>>> (OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
>>> (OA;CIIOID;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)
>>> (OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
>>> (OA;CIIOID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)
>>> (A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DOMSID-519)
>>> (A;CIID;LC;;;RU)
>>>
>> (A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d
>> 1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>>>
>>>
>> (OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a
>> 285-00aa003049e2;WD)
>>>
>>>
>>> The attribute is msDS-SupportedEncryptionTypes which is not in the
>> SD
>>> above.
>>>
>>> Is there something wrong ? The SD is generated for a 2003 level
>> maybe
>>> the right is added when we have a 2008 level ?
>>>
>>> Let me know.
>>>
>>> Matthieu.



More information about the samba-technical mailing list