Setting 'nTSecurityDescriptor' via LDAP fails
Zahari Z.
zahari.zahariev at postpath.com
Fri Mar 6 13:11:52 GMT 2009
Hello Andrew and Samba4,
I am raising this issue again. This is about sending ndr_packed()
nTsecurityDescriptor object via LDAP connection.
Firstly, I have discovered several situations that tools work fine:
(1) I am absolutely sure that ndr_pack / ndr_unpack methods work fine
when they are used forth and back like so:
x = ndr_pack(descriptor_obj)
y = ndr_unpack(security.descriptor, x)
ptint "SDDL:", y.as_sddl( security.dom_sid('S-1-5-21') )
(2) I am sure that you are able to read a nTSecurityDescriptor off a
default user in created in the Users group.
res = ldb.search( self.base_dn, expression="(cn=%s)" % 'Administrator' )
x = res[0]["nTSecurityDescriptor"][0]
y = ndr_unpack( security.descriptor, x)
tint "SDDL:", y.as_sddl( security.dom_sid('S-1-5-21') )
Secondly, we come to the case ndr_pack / ndr_unpack DOES NOT WORK
correctly. It is when you ndr_pack() a security descriptor object and
sent it to Samba4 via LDAP connection when creating a new user. After
that if you try to read the same nTSecurityDescriptor as shown in first
case (2) point the read fails with 'Buffer error'. Here is a Python
unittest example file where one can clearly see the problem (see attaced
file). Attached unittest file should be located in
'source4/lib/ldb/tests/python/' directory.
Hope the explanation is clear and you would be able to help us overcome
this LDAP situation.
Thanks!
-Zahari, Sofia
-------------- next part --------------
A non-text attachment was scrubbed...
Name: acl-test.py
Type: text/x-python
Size: 5371 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090306/f70f4906/acl-test.py
More information about the samba-technical
mailing list