[PATCH] Failure to modify nTSecurityDescriptor attribute ussing ldb.modify_ldif()

Jelmer Vernooij jelmer at samba.org
Tue Jun 30 17:00:46 MDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Bartlett wrote:
> On Tue, 2009-06-30 at 20:04 +0200, Jelmer Vernooij wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> Hi Zahari,
>>
>> Zahari Zahariev wrote:
>>> Method ldb.modify_ldif() does not work at all if you try to use
>>> it for nTSecurityDescriptor modification.
>>>
>>> The patch below implements a simple unittest for this behavior.
>>>  First step is to create a regular user then save its
>>> nTSecurityDescriptor in SDDL format. Next we create a
>>> "samba.security.descriptor" python object which is ndr_packed()
>>> and included in ldb.modify_ldif() request changing our
>>> previously created user's descriptor. After this we look up the
>>> same user nTSecurityDescriptor then transform it into SDDL
>>> format and assertNotEqual() both this and the initial value. If
>>>  ldb.modify_ldif() operation is successful then the the two
>>> SDDL representations must be different but as this
>>> functionality fails in our case they are the same!
>>>
>>> Another interesting observation is that ldb.modify_ldif() fails
>>> to change a security descriptor attribute with absolutely no
>>> warning or error in other words if you do not look it up
>>> afterwards you would have no clue that this operation fails.
>> Have you tried modifying any other attributes than
>> nTSecurityDescriptor? Does that work ok? If it's specific to
>> nTSecurityDescriptor, it's probably a bug in the LDB module that
>> handles it. If it's a problem everywhere, it's more probably a
>> bug in ldb.modify().
>
> Jelmer,
>
> The difference with nTSecurityDescriptor is that we use the LDIF
> read/write functions for it.  This would make it different to any
> other binary attribute.
In that case, shouldn't we be returning an error if the attribute
isn't formatted correctly rather than silently ignoring it?

Cheers,

Jelmer

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iJwEAQECAAYFAkpKmRsACgkQDLQl4QYPZuVenQP+NlaxH53zRoXdsZuYJ1hXg2mM
JrM66DaVF2sWlX7PVnviAFIt2SUkBa+86pXg5nbsT7KhQJS/fZ/BBmsEeyIlrdHK
nHc6hTgmvmaQ36MDiXLVy/sgUroUWqgoQ5tpLCUa2n9dw+YLh666NBXtdgPiJR7o
9qgLW3scEZX6LLRnLSo=
=AJWM
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list