[PATCH] Failure to modify nTSecurityDescriptor attribute ussing ldb.modify_ldif()

Zahari Zahariev zahari.zahariev at postpath.com
Tue Jun 30 06:34:10 MDT 2009

Hello Samba4,

Method ldb.modify_ldif() does not work at all if you try to use it for 
nTSecurityDescriptor modification.

The patch below implements a simple unittest for this behavior. First 
step is to create a regular user then save its nTSecurityDescriptor in 
SDDL format. Next we create a "samba.security.descriptor" python object 
which is ndr_packed() and included in ldb.modify_ldif() request changing 
our previously created user's descriptor. After this we look up the same 
user nTSecurityDescriptor then transform it into SDDL format and 
assertNotEqual() both this and the initial value. If ldb.modify_ldif() 
operation is successful then the the two SDDL representations must be 
different but as this functionality fails in our case they are the same!

Another interesting observation is that ldb.modify_ldif() fails to 
change a security descriptor attribute with absolutely no warning or 
error in other words if you do not look it up afterwards you would have 
no clue that this operation fails.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Test-that-tries-to-modify-nTSecurityDescriptor-using.patch
Type: text/x-patch
Size: 2822 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090630/469189ee/0001-Test-that-tries-to-modify-nTSecurityDescriptor-using.bin

More information about the samba-technical mailing list