[PATCH] A script to compare the differences in ntSecurityDescriptor between 2 hosts

Nadezhda Ivanova nadezhda.ivanova at postpath.com
Wed May 27 08:01:36 GMT 2009

Thanks so much for the tip, I'll try it right now. Also, I think that most likely the base64 is fine - I have been comparing it to the output of Apache DS, but ldapsearch returns what we get, so I think the bug is in the ApacheDS if there is one. I will know for sure today and let you know.

Thanks again,

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Wednesday, May 27, 2009 6:06 AM
To: Nadezhda Ivanova
Cc: samba-technical at samba.org
Subject: Re: [PATCH] A script to compare the differences in ntSecurityDescriptor between 2 hosts

On Fri, 2009-05-22 at 17:39 +0300, Nadezhda Ivanova wrote:
> Hi Samba Team,
> Attached is the first version of a script, whose purpose is to compare
> a freshly provisioned samba against a freshly installed win2008 and
> export the ntSecurityDescriptors in ldif format to be applied against
> samba. Its not doing comparison at this point, just exporting the
> Win2008 descriptors. It has two serious issues and I would really
> appreciate it if someone can take a look and tell me what is wrong.

>       1. I believe the way the descriptors are base64 encoded is
> wrong, because when I simply read a descriptor from the remote host
> and encode it as base64 directly, the results are not what I see using
> Apache directory studio, for example. 

That's odd.  And what about ldapsearch?  I would expect that an
ldbsearch would return a different format (it invokes the 'pretty
printer' for ACLs), but ldapsearch and the python scripts should show
the same data (once both base64 encoded).

Your LDAP printer could be avoided if the python interface
(source4/lib/ldb/pyldb.c) had a function to turn an ldb message back
into ldif.  That might also avoid any odd bugs in your special LDIF

>       2. How to use the paged search control to get more that 1000
> entries? It appears we cannot use it, as there is no way to obtain the
> cookie that the server returns, so that we cannot request the next
> page. Dealt with this rather ugly by resetting the macpageAize of the
> default query policy.

That is ugly :-)

There is a good example of this in the python tool 'fullschema':

Ldb(url, credentials=creds, lp=lp_ctx,

You should be able to use this syntax with SamDB too. 

Honestly, I can't actually see a reason why we should not always use
this module - and have it activated every time we use the ldb_ildap
backend.  (But the above syntax should work for now).

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the samba-technical mailing list