[PATCH] A script to compare the differences in ntSecurityDescriptor between 2 hosts

Andrew Kroeger andrew at id10ts.net
Thu May 28 11:48:45 GMT 2009


I like the good work you've done with this script.  Keep it up!

I worked a little with the original script version you sent as well as 
taking a look at the new version, and I have a few comments:

1) There are some lines with trailing whitespace that cause git warnings 
when importing the patch using git-am.  These should be cleaned up 
before submitting the final patch.

2) After creating the credentials parser ("credopts"), it should be 
added as a parser option group ("parser.add_option_group(credopts)") so 
the authentication options are displayed when the script is given the 
"--help" argument.

3) As written, the script does not properly convert the domain SID in 
the descriptor from the remote machine into the proper domain SID for 
the local (S4) machine.  This can be seen by printing the original 
remote SDDL ("sddl") and then printing the SDDL from the new security 
descriptor ("descr") with "print descr.as_sddl()" before calling 
self.add_to_ldif().  I believe the security descriptor from the remote 
machine should be converted to use the local SID before the "if sddl != 
sddl_local:" comparison anyway, otherwise two descriptors that differ 
solely in domain SID will be considered different and generate an 
unnecessary LDIF modify entry.

I tried to use string replacement to change the domain SID's 
("sddl_new=descr.as_sddl().replace(self.remote_sid, self.local_sid)"), 
but python throws a "TypeError: expected a character buffer object" 
exception.  I took a quick look at the existing SDDL functions, and I do 
not see anything (either in C or in python) that appears to be build to 
handle this conversion.  I only looked for a few minutes though - there 
may be something I missed.

Again, good job with the script.  I look forward to seeing all of your 
security descriptor work come together.

Andrew Kroeger

More information about the samba-technical mailing list