[PATCH] Failure to modify nTSecurityDescriptor attribute ussing
jelmer at samba.org
Tue Jun 30 17:00:46 MDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Andrew Bartlett wrote:
> On Tue, 2009-06-30 at 20:04 +0200, Jelmer Vernooij wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> Hi Zahari,
>> Zahari Zahariev wrote:
>>> Method ldb.modify_ldif() does not work at all if you try to use
>>> it for nTSecurityDescriptor modification.
>>> The patch below implements a simple unittest for this behavior.
>>> First step is to create a regular user then save its
>>> nTSecurityDescriptor in SDDL format. Next we create a
>>> "samba.security.descriptor" python object which is ndr_packed()
>>> and included in ldb.modify_ldif() request changing our
>>> previously created user's descriptor. After this we look up the
>>> same user nTSecurityDescriptor then transform it into SDDL
>>> format and assertNotEqual() both this and the initial value. If
>>> ldb.modify_ldif() operation is successful then the the two
>>> SDDL representations must be different but as this
>>> functionality fails in our case they are the same!
>>> Another interesting observation is that ldb.modify_ldif() fails
>>> to change a security descriptor attribute with absolutely no
>>> warning or error in other words if you do not look it up
>>> afterwards you would have no clue that this operation fails.
>> Have you tried modifying any other attributes than
>> nTSecurityDescriptor? Does that work ok? If it's specific to
>> nTSecurityDescriptor, it's probably a bug in the LDB module that
>> handles it. If it's a problem everywhere, it's more probably a
>> bug in ldb.modify().
> The difference with nTSecurityDescriptor is that we use the LDIF
> read/write functions for it. This would make it different to any
> other binary attribute.
In that case, shouldn't we be returning an error if the attribute
isn't formatted correctly rather than silently ignoring it?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical