[PATCH] A script to compare the differences in ntSecurityDescriptor between 2 hosts

Nadezhda Ivanova nadezhda.ivanova at postpath.com
Fri May 29 07:46:13 GMT 2009 

Hi Andrew,
I found the reason for this and fixed it, will be sending patch shortly. The cause was that as_sddl does not replace schema admins sid with SA as ti should. Also, changed the script. It turned out that exporting to ldif will not do, as some of the well know security principals have sids of the form domain + rid, so just converting them to base64 and using ldif will not allow us to use the correct domain sid.
Thanks for your help!
Regards, 
Nadya

-----Original Message-----
From: Andrew Kroeger [mailto:andrew at id10ts.net] 
Sent: Friday, May 29, 2009 1:10 AM
To: Nadezhda Ivanova
Cc: samba-technical at samba.org
Subject: Re: [PATCH] A script to compare the differences in ntSecurityDescriptor between 2 hosts

Nadezhda Ivanova wrote:
> Hi Andrew,
> I took a second look and I think the comparison should in principle be correct. When we provide a domain sid to as_sddl(), we get the short SID Form, that is the Well knows security principals are replaced with their SDDL aliases, and since we are comparing fresh installations there should be no new security principals. This means that the local and remote short form SDDL strings should be equal and sddl != sddl_local will work.

I do not think this is correct.  The following example uses 
CN=ms-WMI-RangeParam,CN=Schema,CN=Configuration,${DOMAINDN} as the 
security descriptor:

 From your script, the value of "sddl" is:

O:S-1-5-21-3535540597-1460060105-1161320952-518G:S-1-5-21-3535540597-1460060105-1161320952-518D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;S-1-5-21-3535540597-1460060105-1161320952-518)(A;CIID
;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CIIDSA;WP;;;WD)

and the value of sddl_local is:

O:SYG:BAD:S:

I added some additional statements to convert "descr" to SDDL, using 
both self.local_sid and self.remote_sid.  After running 
"sddl_descr_local = descr.as_sddl(self.local_sid)", the value of 
sddl_descr_local is:

O:S-1-5-21-3535540597-1460060105-1161320952-518G:S-1-5-21-3535540597-1460060105-1161320952-518D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;S-1-5-21-3535540597-1460060105-1161320952
-518)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CIIDSA;WP;;;WD)

and after running "sddl_descr_remote = descr.as_sddl(self.remote_sid)", 
the value of sddl_descr_remote is:
 
O:S-1-5-21-3535540597-1460060105-1161320952-518G:S-1-5-21-3535540597-1460060105-1161320952-518D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;S-1-5-21-3535540597-1460060105-116132095
2-518)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CIIDSA;WP;;;WD)

Note that the domain SID is the same in all examples above 
(S-1-5-21-3535540597-1460060105-1161320952).  I added some statements to 
output the values of self.local_sid and self.remote_sid.  The value of 
self.local_sid is:

S-1-5-21-2430860825-3145872101-2902583217

and the value of self.remote_sid is:

S-1-5-21-3535540597-1460060105-1161320952

Note that from all examples above, the domain SID in the SDDL is the 
remote SID, and nothing has been changed to the local SID.

Sincerely,
Andrew Kroeger

> 
> However, it is still great that you made me go back to it, because it turns out that for schema entries the SID is not replaced with SA, and that would cause trouble. Perhaps it's a bug...
> 
> Thanks again!
> 
> -----Original Message-----
> From: Andrew Kroeger [mailto:andrew at id10ts.net] 
> Sent: Thursday, May 28, 2009 2:49 PM
> To: Nadezhda Ivanova
> Cc: samba-technical at samba.org
> Subject: Re: [PATCH] A script to compare the differences in ntSecurityDescriptor between 2 hosts
> 
> Nadya:
> 
> I like the good work you've done with this script.  Keep it up!
> 
> I worked a little with the original script version you sent as well as 
> taking a look at the new version, and I have a few comments:
> 
> 1) There are some lines with trailing whitespace that cause git warnings 
> when importing the patch using git-am.  These should be cleaned up 
> before submitting the final patch.
> 
> 2) After creating the credentials parser ("credopts"), it should be 
> added as a parser option group ("parser.add_option_group(credopts)") so 
> the authentication options are displayed when the script is given the 
> "--help" argument.
> 
> 3) As written, the script does not properly convert the domain SID in 
> the descriptor from the remote machine into the proper domain SID for 
> the local (S4) machine.  This can be seen by printing the original 
> remote SDDL ("sddl") and then printing the SDDL from the new security 
> descriptor ("descr") with "print descr.as_sddl()" before calling 
> self.add_to_ldif().  I believe the security descriptor from the remote 
> machine should be converted to use the local SID before the "if sddl != 
> sddl_local:" comparison anyway, otherwise two descriptors that differ 
> solely in domain SID will be considered different and generate an 
> unnecessary LDIF modify entry.
> 
> I tried to use string replacement to change the domain SID's 
> ("sddl_new=descr.as_sddl().replace(self.remote_sid, self.local_sid)"), 
> but python throws a "TypeError: expected a character buffer object" 
> exception.  I took a quick look at the existing SDDL functions, and I do 
> not see anything (either in C or in python) that appears to be build to 
> handle this conversion.  I only looked for a few minutes though - there 
> may be something I missed.
> 
> Again, good job with the script.  I look forward to seeing all of your 
> security descriptor work come together.
> 
> Sincerely,
> Andrew Kroeger
> 
> 
>

More information about the samba-technical mailing list