a few SD questions
Nadezhda Ivanova
nadezhda.ivanova at postpath.com
Mon Nov 23 07:14:48 MST 2009
Hi Matthias,
I have some more work to do on access checks for the search request - as you can see, acl.c does not yet handle them. I expect this will be done by the end of the week. After that, kludge will stay in the codebase for a little while, and will be optionally enabled by a configuration parameter. This will allow testers (read ekacnet) to fall back to it if some very serious bug is found. I suppose eventually we will remove it altogether.
Regards,
Nadya
----- Original Message -----
> From: Matthias Dieter Wallnöfer <mdw at samba.org>
> To: Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
> Cc: mat at matws.net <mat at matws.net>, samba-technical at lists.samba.org <samba-technical at lists.samba.org>, Andrew Bartlett <abartlet at samba.org>
> Sent: Monday, November 23, 2009 4:00:21 PM GMT+0200 Europe;Athens
> Subject: Re: a few SD questions
> > Hi Nadya,
>
> (maybe a bit out of topic - but I think it's worth to ask) do you plan
>
> to remove the "kludge_acl" module? I think with your recent work it's
> nearly obsolete and I personally don't see it useful anymore (to be
> honest I would like to see it dropped soon). I think with some minor
> work and suggestions by abartlet it should be feasible.
>
> Matthias
>
> Nadezhda Ivanova wrote:
> > Hi Mattieu,
> > Thanks for the research. I do not understand however why you expect
> to have an ID (I assume that is what you mean by DI) flag in the DACL
> ace. The DACL has the P flag, which means break inheritance - we are
> not supposed to inherit anything from the parent in the DACL. This is
> also the case in the win2k3 descriptor that you have pasted. In that
> descriptor you seem to have nothing inherited in the DACL as well.
> > The sacl seems to me missing an inherit only flag, will have to
> debug what is causing this...
> > I am also not sure about the differences in the group. Are you sure
> the policy in win2k3 has been created without providing an owner or a
> group?
> >
> > Regards,
> > Nadya
> > ----- Original Message -----
> >
> >> From: Matthieu Patou<mat at matws.net>
> >> To: samba-technical<samba-technical at lists.samba.org>, Nadezhda
> Ivanova<nadezhda.ivanova at postpath.com>
> >> Sent: Monday, November 23, 2009 8:42:09 AM GMT+0200 Europe;Athens
> >> Subject: a few SD questions
> >>
> >
> >>> Hello nadya,
> >>>
> >> I made some tests today with GPO and it seems that things are
> getting
> >> a
> >> lot more better
> >>
> >> Below it's the SD for a newly created policy, it quite OK just we
> have
> >>
> >> the duplicate ACL for Domain Admins due to the fact that the
> creator
> >> owner is Domain Admin. Also I think that we should have the AI
> control
> >>
> >> flag as the SD is DACL_PROTECTED and that it has some (all?) ACL
> from
> >> the parent SD. Also those inherited ACE should have the flag DI
> >> (although it isn't very clear what is the effect of this flag,
> seems
> >> more cosmetic than something else to me).
> >>
> >> O:S-1-5-21-487418869-183637953-2310109715-512G:
> >> S-1-5-21-487418869-183637953-2310109715-513D:P
> >>
> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-487418869-183637953-231010971
>
> >> 5-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-2
> >> 1-487418869-183637953-2310109715-519)
> >> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-
> >>
> >>
> 487418869-183637953-2310109715-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;C
>
> >> O)(A;C
> >> I;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
> >> (A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-1
> >> 1d1-b41d-00a0c968f939;;AU)
> >> (A;CI;RPLCLORC;;;ED)
> >> S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0
> >>
> >>
> -11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CII
>
> >> DSA;WP
> >>
> >>
> ;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa00304
>
> >> 9e2;WD
> >> )
> >>
> >>
> >>
> >> In the same time here is the SD for a newly create gpo in w2k3:
> >> They are identical for the DACL part, there is still some
> difference
> >> on
> >> the sacl part. Also it's worth noting that the group is different
> >>
> >>
> O:S-1-5-21-3208502064-746857408-2662927446-512G:S-1-5-21-3208502064-746
>
> >> 857408-2662927446-512
> >> D:PAI
> >>
> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
>
> >> 46-512)
> >>
> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
>
> >> 46-519)
> >>
> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-2662927446
>
> >> -512)
> >> (A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)
> >> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
> >> (A;CI;RPLCLORC;;;AU)
> >> (OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
> >> (A;CI;RPLCLORC;;;ED)
> >> S:AI
> >>
> (OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
>
> >> -a285-00aa003049e2;WD)
> >>
> (OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
>
> >> -a285-00aa003049e2;WD)
> >> (OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)
> >>
> >>
> >> Matthieu.
> >>
> >
More information about the samba-technical
mailing list