Schema security descriptors

Andrew Bartlett abartlet at
Wed Jun 10 22:53:48 GMT 2009

On Wed, 2009-06-10 at 19:39 +0300, Nadezhda Ivanova wrote:
> Hi Andrew,
> I looked at objectclass.c as you advised. The reason we do not have
> the defaultSecurityDescriptor of dMD as part of the SD of CN=Schema is
> that we need the schema to be able to find the object class definition
> for a new object and get its defaultSecurityDescriptor, and we do
> nothing if the schema is not present (objectclass.c:539-647).
> Obviously, when we are first adding the CN=Schema, we do not have the
> schema :). 

That's a good guess, but otherwise we would also not have
objectCategory, right?

> Because of this, and the group/owner problem I do not see how we can
> avoid re-visiting all schema objects during provisioning to midify
> their descriptors, still seems like the only way. I see however how
> this is the place to implement security descriptor inheritance,
> shouldn't be too difficult, we have the algorithms documented in

Good.  I don't think the owner part should be too big a problem.  Who in
AD owns new schema objects created by (say) an administrator after

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list