[PATCH] Failure to modify nTSecurityDescriptor attribute ussing ldb.modify_ldif()

Andrew Bartlett abartlet at samba.org
Tue Jun 30 16:11:02 MDT 2009

On Tue, 2009-06-30 at 20:04 +0200, Jelmer Vernooij wrote:
> Hash: SHA1
> Hi Zahari,
> Zahari Zahariev wrote:
> > Method ldb.modify_ldif() does not work at all if you try to use it
> > for nTSecurityDescriptor modification.
> >
> > The patch below implements a simple unittest for this behavior.
> > First step is to create a regular user then save its
> > nTSecurityDescriptor in SDDL format. Next we create a
> > "samba.security.descriptor" python object which is ndr_packed() and
> > included in ldb.modify_ldif() request changing our previously
> > created user's descriptor. After this we look up the same user
> > nTSecurityDescriptor then transform it into SDDL format and
> > assertNotEqual() both this and the initial value. If
> > ldb.modify_ldif() operation is successful then the the two SDDL
> > representations must be different but as this functionality fails in
> > our case they are the same!
> >
> > Another interesting observation is that ldb.modify_ldif() fails to
> > change a security descriptor attribute with absolutely no warning or
> > error in other words if you do not look it up afterwards you would
> > have no clue that this operation fails.
> Have you tried modifying any other attributes than
> nTSecurityDescriptor? Does that work ok? If it's specific to
> nTSecurityDescriptor, it's probably a bug in the LDB module that
> handles it. If it's a problem everywhere, it's more probably a bug in
> ldb.modify().


The difference with nTSecurityDescriptor is that we use the LDIF
read/write functions for it.  This would make it different to any other
binary attribute.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090701/77265f1e/attachment.bin

More information about the samba-technical mailing list