[PATCH] Failure to modify nTSecurityDescriptor attribute ussing ldb.modify_ldif()

Andrew Bartlett abartlet at samba.org
Fri Jul 3 07:31:38 GMT 2009

On Tue, 2009-06-30 at 15:34 +0300, Zahari Zahariev wrote:
> Hello Samba4,
> Method ldb.modify_ldif() does not work at all if you try to use it for 
> nTSecurityDescriptor modification.
> The patch below implements a simple unittest for this behavior. First 
> step is to create a regular user then save its nTSecurityDescriptor in 
> SDDL format. Next we create a "samba.security.descriptor" python object 
> which is ndr_packed() and included in ldb.modify_ldif() request changing 
> our previously created user's descriptor. After this we look up the same 
> user nTSecurityDescriptor then transform it into SDDL format and 
> assertNotEqual() both this and the initial value. If ldb.modify_ldif() 
> operation is successful then the the two SDDL representations must be 
> different but as this functionality fails in our case they are the same!
> Another interesting observation is that ldb.modify_ldif() fails to 
> change a security descriptor attribute with absolutely no warning or 
> error in other words if you do not look it up afterwards you would have 
> no clue that this operation fails.

I've found the bug.  The problem is that failures to parse the LDIF are
treated by the python code the same as end of file.  

I'll fix it on Monday (already working on the patch)

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090703/5f004f32/attachment.bin

More information about the samba-technical mailing list