Setting 'nTSecurityDescriptor' via LDAP fails
Nadezhda Ivanova
nadezhda.ivanova at postpath.com
Tue Mar 17 14:04:10 GMT 2009
Hi Simo,
Could you elaborate a bit? Where do we set the handler? The problem concerns the Ldb python class that is used in tests and provisioning and is in the C code of the binding. At that particular place (puldb.c:1276), the data type is not checked, only if we check for single or multi-valued attribute...
Nadya
-----Original Message-----
From: simo [mailto:idra at samba.org]
Sent: Tuesday, March 17, 2009 3:55 PM
To: Zahari Zahariev
Cc: 'samba-technical at lists.samba.org'; Andrew Bartlett
Subject: Re: Setting 'nTSecurityDescriptor' via LDAP fails
On Tue, 2009-03-17 at 13:17 +0200, Zahari Z. wrote:
> Andrew Bartlett wrote:
> > On Tue, 2009-03-10 at 14:34 +0100, Stefan (metze) Metzmacher wrote:
> >
> >> Zahari Z. schrieb:
> >>
> >>> Andrew Bartlett wrote:
> >>>
> >>>> On Fri, 2009-03-06 at 15:11 +0200, Zahari Z. wrote:
> >>>>
> >>>>
> >>>>> Hello Andrew and Samba4,
> >>>>>
> >>>>> I am raising this issue again. This is about sending ndr_packed()
> >>>>> nTsecurityDescriptor object via LDAP connection.
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>>> Hope the explanation is clear and you would be able to help us
> >>>>> overcome this LDAP situation.
> >>>>>
> >>>>>
> >>>> Does this test pass against Windows 2003 or 2008?
> >>>>
> >>>> Andrew Bartlett
> >>>>
> >>>>
> >>>>
> >>> Hello Andrew,
> >>>
> >>> It does not pass against Windows2003. It crushes with 'Constrain error'
> >>> that resolves according to winerror.h this error sesolves to 'Invalid
> >>> nTSecurityDescriptor'.
> >>>
> >>> See the error against Win2003:
> >>>
> >>> Traceback (most recent call last):
> >>> File "./lib/ldb/tests/python/acl-test.py", line 100, in test_acl_read
> >>> "ntSecurityDescriptor" : ndr_pack(x),
> >>> LdbError: (19, 'LDAP error 19 LDAP_CONSTRAINT_VIOLATION - <0000053A:
> >>> AtrErr: DSID-03150B5E, #1:\n\t0: 0000053A: DSID-03150B5E, problem 1005
> >>> (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)\n> <>')
> >>>
> >>> My guess is that something happens at the moment of writing to database
> >>> or while sending.
> >>>
> >> I think you need to use the a control:
> >> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_server_sd_flags_oid.asp
> >>
> >
> > Once this is fixed, I think the issue may be due to different formats of
> > the attribute (samba translates between text and binary). Try printing
> > the original value obtained over LDAP to see how it differs before you
> > try parsing.
> >
> > Andrew Bartlett
> >
> >
> Hello Samba4,
>
> We want to announce :) that we have successfully debugged and fixed
> the problem with ndr_pack(nTSecutityDescriptor) sending via LDAP using
> Samba4 ldb.add().
>
> (1) What the problem really was?
>
> The issue was that sending binary data using ldb.add() did not work. The
> issue was not raised before now as most of the properties that are set
> by ldb.add() are plain strings.We, however, tried using it to set
> ntSecurityDescriptor in binary format. In file
> source4/lib/ldb/pyldb.c:1276, function PyObject_AsMessageElement() where
> data from python objects is converter into am ldb_message,
> talloc_strndup is used to copy/duplicate data. When we tried to send
> binary data (nTSecurityDescriptor) it did not work
> because there was a null character '\0' e.g. "bla\0foo". When
> talloc_strndup() reaches a null character it stops copying and data is
> transmitted with wrong value but correct size. Having wrong value
> transmitted through LDAP, Win2003 immediately throws "Constraint
> violation" due to data inconsistency.
>
> (2) How did we end up fixing the problem?
>
> What fixed the problem and did not raise more issues is: substitute
> talloc_strndup() with talloc_memdup(), allocate 1 more character and put
> null character ('\0') in the extra place so data copied is null terminated.
>
> (3) What happens when we just changed talloc_strndup() to talloc_memdup()?
>
> This is what we first tried. Unfortunately after double checking with
> "make test" we saw more errors were generated. The most obvious issue
> was source4/setup/newuser script was crashing with LDAP error because of
> data inconsistency. More characters were copied after talloc_memdup()
> than stated by its size. Got back to debugging and came to the
> conclusion that successive data handling is based on that data is null
> terminated string and strlen() defines the final length of the value not
> the real size passed along. After null terminating processed data came
> out of memdup() everything seems to be OK. Our concern is that null
> terminating works around a bigger problem with data size handling
> somewhere in the ldb library - size is being calculated with strlen()
> instead of using the value[].length field.
Zahari are you setting the ldb handler for nTSecurityDescriptor to be
LDB_SYNTAX_OCTET_STRING ?
If not that's the first step. If that fails then we need to check what's
going on.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba-technical
mailing list