Schema security descriptors
Nadezhda Ivanova
nadezhda.ivanova at postpath.com
Wed Jun 10 16:39:40 GMT 2009
Hi Andrew,
I looked at objectclass.c as you advised. The reason we do not have the defaultSecurityDescriptor of dMD as part of the SD of CN=Schema is that we need the schema to be able to find the object class definition for a new object and get its defaultSecurityDescriptor, and we do nothing if the schema is not present (objectclass.c:539-647). Obviously, when we are first adding the CN=Schema, we do not have the schema :). Because of this, and the group/owner problem I do not see how we can avoid re-visiting all schema objects during provisioning to midify their descriptors, still seems like the only way. I see however how this is the place to implement security descriptor inheritance, shouldn't be too difficult, we have the algorithms documented in MS-ADTS.
Regards,
Nadya
-----Original Message-----
Sent: Wednesday, June 10, 2009 7:06 PM
To: abartlet at samba.org
Cc: samba-technical at samba.org
Subject: Schema security descriptors
Hi Andrew,
I did a bit of analysis on the security descriptors of the schema partition in particular, here is what I found. It's kind of long but bear with me. We have a freshly provisioned Samba 4, and a newly installed win2008:
Samba 4 SD for all schema objects, including CN=Schema: O:SYG:BAD:S: This means an empty ACE list, owner SYSTEM, group BUILTIN\Administrators
defaultSecurityDescriptor of DMD in win2008 and Samba 4 (objectClass of CN=Schema,CN=Configuration): D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
Win2008 for all attributes and classes: O:SAG:SAD:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CIIDSA;WP;;;WD)
Owner: DOMAIN\Schema Admins
Group: DOMAIN\Schema Admins
Type Trustee Rights Flags
Allow Authenticated Users read Inherit, Inherited
Allow DOMAIN\Schema Admins Write, List object, Write DACL, Write Owner, Create Child, Control Access Inherit, Inherited
Allow System Full Control Inherit, Inherited
Win2008 for CN=Schema:
Owner: DOMAIN\Schema Admins
Group: DOMAIN\Schema Admins
Type Trustee Rights Flags
Allow DOMAIN\Schema Admins Change Schema Master
Allow Enterprise Replicating Directory changes
Allow Enterprise Replication synchronisation
Allow Enterprise Manage replication topology
Allow BUILTIN\Administrators Replicating Directory changes
Allow BUILTIN\Administrators Replication synchronisation
Allow BUILTIN\Administrators Manage replication topology
Allow Authenticated Users read Inherit
Allow DOMAIN\Schema Admins Write, List object, Write DACL, Write Owner, Create Child, Control Access Inherit
Allow System Full Control Inherit
Allow Enterprise Replicating Directory changes All
Allow Enterprise Replicating Directory changes in Filtered Set
Allow BUILTIN\Administrators Replicating Directory changes All
Allow BUILTIN\Administrators Replicating Directory changes in Filtered Set
Allow Enterprise Replicating Directory changes
Allow Enterprise Replicating Directory changes All
Allow Enterprise Replicating Directory changes in Filtered Set
The ones in green come from the defaultSecurityDescriptors.
So I think in Samba we have the following problems:
1. Not even the defaultSecurityDescriptor of dMD is applied to CN=Schema at creation time.
2. We have missing object specific rights, although I think most of them are there because this is the first domain controller in the domain and is schema master
3. If we fix the inheritance to work correctly, the ACEs for objects and attributes will be correct, ass all of them are inherited from CN=Schema
4. We have to solve the problem with the owner and group. In Samba 4 it's always SYSTEM, in Win2008 -Schema Admins. Simply re-establishing the session logging as a Schema Admins member may not solve this problem.
Regards,
Nadya
Nadezhda Ivanova
Software Engineer Software Development
nadezhda.ivanova at postpath.com CISCO SYSTEMS BULGARIA EOOD
18 Macedonia Blvd. Sofia 1606
Bulgaria
Think before you print.
More information about the samba-technical
mailing list