[PATCH] A script to compare the differences in
ntSecurityDescriptor between 2 hosts
nadezhda.ivanova at postpath.com
Thu May 28 13:00:55 GMT 2009
I took a second look and I think the comparison should in principle be correct. When we provide a domain sid to as_sddl(), we get the short SID Form, that is the Well knows security principals are replaced with their SDDL aliases, and since we are comparing fresh installations there should be no new security principals. This means that the local and remote short form SDDL strings should be equal and sddl != sddl_local will work.
However, it is still great that you made me go back to it, because it turns out that for schema entries the SID is not replaced with SA, and that would cause trouble. Perhaps it's a bug...
From: Andrew Kroeger [mailto:andrew at id10ts.net]
Sent: Thursday, May 28, 2009 2:49 PM
To: Nadezhda Ivanova
Cc: samba-technical at samba.org
Subject: Re: [PATCH] A script to compare the differences in ntSecurityDescriptor between 2 hosts
I like the good work you've done with this script. Keep it up!
I worked a little with the original script version you sent as well as
taking a look at the new version, and I have a few comments:
1) There are some lines with trailing whitespace that cause git warnings
when importing the patch using git-am. These should be cleaned up
before submitting the final patch.
2) After creating the credentials parser ("credopts"), it should be
added as a parser option group ("parser.add_option_group(credopts)") so
the authentication options are displayed when the script is given the
3) As written, the script does not properly convert the domain SID in
the descriptor from the remote machine into the proper domain SID for
the local (S4) machine. This can be seen by printing the original
remote SDDL ("sddl") and then printing the SDDL from the new security
descriptor ("descr") with "print descr.as_sddl()" before calling
self.add_to_ldif(). I believe the security descriptor from the remote
machine should be converted to use the local SID before the "if sddl !=
sddl_local:" comparison anyway, otherwise two descriptors that differ
solely in domain SID will be considered different and generate an
unnecessary LDIF modify entry.
I tried to use string replacement to change the domain SID's
but python throws a "TypeError: expected a character buffer object"
exception. I took a quick look at the existing SDDL functions, and I do
not see anything (either in C or in python) that appears to be build to
handle this conversion. I only looked for a few minutes though - there
may be something I missed.
Again, good job with the script. I look forward to seeing all of your
security descriptor work come together.
More information about the samba-technical