[PATCH] A script to compare the differences in ntSecurityDescriptor between 2 hosts

Andrew Bartlett abartlet at samba.org
Wed May 27 03:05:37 GMT 2009

On Fri, 2009-05-22 at 17:39 +0300, Nadezhda Ivanova wrote:
> Hi Samba Team,
> Attached is the first version of a script, whose purpose is to compare
> a freshly provisioned samba against a freshly installed win2008 and
> export the ntSecurityDescriptors in ldif format to be applied against
> samba. Its not doing comparison at this point, just exporting the
> Win2008 descriptors. It has two serious issues and I would really
> appreciate it if someone can take a look and tell me what is wrong.

>       1. I believe the way the descriptors are base64 encoded is
> wrong, because when I simply read a descriptor from the remote host
> and encode it as base64 directly, the results are not what I see using
> Apache directory studio, for example. 

That's odd.  And what about ldapsearch?  I would expect that an
ldbsearch would return a different format (it invokes the 'pretty
printer' for ACLs), but ldapsearch and the python scripts should show
the same data (once both base64 encoded).

Your LDAP printer could be avoided if the python interface
(source4/lib/ldb/pyldb.c) had a function to turn an ldb message back
into ldif.  That might also avoid any odd bugs in your special LDIF

>       2. How to use the paged search control to get more that 1000
> entries? It appears we cannot use it, as there is no way to obtain the
> cookie that the server returns, so that we cannot request the next
> page. Dealt with this rather ugly by resetting the macpageAize of the
> default query policy.

That is ugly :-)

There is a good example of this in the python tool 'fullschema':

Ldb(url, credentials=creds, lp=lp_ctx,

You should be able to use this syntax with SamDB too. 

Honestly, I can't actually see a reason why we should not always use
this module - and have it activated every time we use the ldb_ildap
backend.  (But the above syntax should work for now).

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090527/e42e618b/attachment.bin

More information about the samba-technical mailing list