a few SD questions

Nadezhda Ivanova nadezhda.ivanova at postpath.com
Mon Nov 23 07:14:48 MST 2009 

Hi Matthias,
I have some more work to do on access checks for the search request - as you can see, acl.c does not yet handle them. I expect this will be done by the end of the week. After that, kludge will stay in the codebase for a little while, and will be optionally enabled by a configuration parameter. This will allow testers (read ekacnet) to fall back to it if some very serious bug is found. I suppose eventually we will remove it altogether.

Regards,
Nadya
----- Original Message -----
> From: Matthias Dieter Wallnöfer <mdw at samba.org>
> To: Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
> Cc: mat at matws.net <mat at matws.net>, samba-technical at lists.samba.org <samba-technical at lists.samba.org>, Andrew Bartlett <abartlet at samba.org>
> Sent: Monday, November 23, 2009 4:00:21 PM GMT+0200 Europe;Athens
> Subject: Re: a few SD questions

> > Hi Nadya,
> 
> (maybe a bit out of topic - but I think it's worth to ask) do you plan 
> 
> to remove the "kludge_acl" module? I think with your recent work it's 
> nearly obsolete and I personally don't see it useful anymore (to be 
> honest I would like to see it dropped soon). I think with some minor 
> work and suggestions by abartlet it should be feasible.
> 
> Matthias
> 
> Nadezhda Ivanova wrote:
> > Hi Mattieu,
> > Thanks for the research. I do not understand however why you expect 
> to have an ID (I assume that is what you mean by DI) flag in the DACL 
> ace. The DACL has the P flag, which means break inheritance - we are 
> not supposed to inherit anything from the parent in the DACL. This is 
> also the case in the win2k3 descriptor that you have pasted. In that 
> descriptor you seem to have nothing inherited in the DACL as well.
> > The sacl seems to me missing an inherit only flag, will have to 
> debug what is causing this...
> > I am also not sure about the differences in the group. Are you sure 
> the policy in win2k3 has been created without providing an owner or a 
> group?
> >
> > Regards,
> > Nadya
> > ----- Original Message -----
> >    
> >> From: Matthieu Patou<mat at matws.net>
> >> To: samba-technical<samba-technical at lists.samba.org>, Nadezhda 
> Ivanova<nadezhda.ivanova at postpath.com>
> >> Sent: Monday, November 23, 2009 8:42:09 AM GMT+0200 Europe;Athens
> >> Subject: a few SD questions
> >>      
> >    
> >>> Hello nadya,
> >>>        
> >> I made some tests today with GPO and it seems that things are 
> getting
> >> a
> >> lot more better
> >>
> >> Below it's the SD for a newly created policy, it quite OK just we 
> have
> >>
> >> the duplicate ACL for Domain Admins due to the fact that the 
> creator
> >> owner is Domain Admin. Also I think that we should have the AI 
> control
> >>
> >> flag as the SD is DACL_PROTECTED and that it has some (all?) ACL 
> from
> >> the parent SD. Also those inherited ACE should have the flag DI
> >> (although it isn't very clear what is the effect of this flag, 
> seems
> >> more cosmetic than something else to me).
> >>
> >> O:S-1-5-21-487418869-183637953-2310109715-512G:
> >> S-1-5-21-487418869-183637953-2310109715-513D:P
> >> 
> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-487418869-183637953-231010971
> 
> >> 5-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-2
> >>    1-487418869-183637953-2310109715-519)
> >> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-
> >>
> >> 
> 487418869-183637953-2310109715-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;C
> 
> >> O)(A;C
> >>    I;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
> >> (A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-1
> >>    1d1-b41d-00a0c968f939;;AU)
> >> (A;CI;RPLCLORC;;;ED)
> >> S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0
> >>
> >> 
> -11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CII
> 
> >> DSA;WP
> >>
> >> 
> ;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa00304
> 
> >> 9e2;WD
> >>    )
> >>
> >>
> >>
> >> In the same time here is the SD for a newly create gpo in w2k3:
> >> They are identical for the DACL part, there is still some 
> difference
> >> on
> >> the sacl part. Also it's worth noting that the group is different
> >>
> >> 
> O:S-1-5-21-3208502064-746857408-2662927446-512G:S-1-5-21-3208502064-746
> 
> >> 857408-2662927446-512
> >> D:PAI
> >> 
> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
> 
> >> 46-512)
> >> 
> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
> 
> >> 46-519)
> >> 
> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-2662927446
> 
> >> -512)
> >> (A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)
> >> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
> >> (A;CI;RPLCLORC;;;AU)
> >> (OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
> >> (A;CI;RPLCLORC;;;ED)
> >> S:AI
> >> 
> (OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
> 
> >> -a285-00aa003049e2;WD)
> >> 
> (OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
> 
> >> -a285-00aa003049e2;WD)
> >> (OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)
> >>
> >>
> >> Matthieu.
> >>      
> >

More information about the samba-technical mailing list