a few SD questions
Matthias Dieter Wallnöfer
mdw at samba.org
Mon Nov 23 08:19:42 MST 2009
Nadya,
Ah, okay.
Regarding security descriptors: this still fails in ldap.py (at least
on my box). Do you plan investigations?
> test: Test add_ldif() with BASE64 security descriptor input using
> WRONG domain SID
...
> failure: Test add_ldif() with BASE64 security descriptor input using
> WRONG domain SID [
> Traceback (most recent call last):
> File "./lib/ldb/tests/python/ldap.py", line 1730, in
> test_security_descriptor_add_neg
> self.assertRaises(KeyError, lambda: res[0]["nTSecurityDescriptor"])
> AssertionError: KeyError not raised
> ]
Greets,
Matthias
Nadezhda Ivanova wrote:
> Hi Matthias,
> I have some more work to do on access checks for the search request - as you can see, acl.c does not yet handle them. I expect this will be done by the end of the week. After that, kludge will stay in the codebase for a little while, and will be optionally enabled by a configuration parameter. This will allow testers (read ekacnet) to fall back to it if some very serious bug is found. I suppose eventually we will remove it altogether.
>
> Regards,
> Nadya
> ----- Original Message -----
>
>> From: Matthias Dieter Wallnöfer<mdw at samba.org>
>> To: Nadezhda Ivanova<nadezhda.ivanova at postpath.com>
>> Cc: mat at matws.net<mat at matws.net>, samba-technical at lists.samba.org<samba-technical at lists.samba.org>, Andrew Bartlett<abartlet at samba.org>
>> Sent: Monday, November 23, 2009 4:00:21 PM GMT+0200 Europe;Athens
>> Subject: Re: a few SD questions
>>
>
>>> Hi Nadya,
>>>
>> (maybe a bit out of topic - but I think it's worth to ask) do you plan
>>
>> to remove the "kludge_acl" module? I think with your recent work it's
>> nearly obsolete and I personally don't see it useful anymore (to be
>> honest I would like to see it dropped soon). I think with some minor
>> work and suggestions by abartlet it should be feasible.
>>
>> Matthias
>>
>> Nadezhda Ivanova wrote:
>>
>>> Hi Mattieu,
>>> Thanks for the research. I do not understand however why you expect
>>>
>> to have an ID (I assume that is what you mean by DI) flag in the DACL
>> ace. The DACL has the P flag, which means break inheritance - we are
>> not supposed to inherit anything from the parent in the DACL. This is
>> also the case in the win2k3 descriptor that you have pasted. In that
>> descriptor you seem to have nothing inherited in the DACL as well.
>>
>>> The sacl seems to me missing an inherit only flag, will have to
>>>
>> debug what is causing this...
>>
>>> I am also not sure about the differences in the group. Are you sure
>>>
>> the policy in win2k3 has been created without providing an owner or a
>> group?
>>
>>> Regards,
>>> Nadya
>>> ----- Original Message -----
>>>
>>>
>>>> From: Matthieu Patou<mat at matws.net>
>>>> To: samba-technical<samba-technical at lists.samba.org>, Nadezhda
>>>>
>> Ivanova<nadezhda.ivanova at postpath.com>
>>
>>>> Sent: Monday, November 23, 2009 8:42:09 AM GMT+0200 Europe;Athens
>>>> Subject: a few SD questions
>>>>
>>>>
>>>
>>>
>>>>> Hello nadya,
>>>>>
>>>>>
>>>> I made some tests today with GPO and it seems that things are
>>>>
>> getting
>>
>>>> a
>>>> lot more better
>>>>
>>>> Below it's the SD for a newly created policy, it quite OK just we
>>>>
>> have
>>
>>>> the duplicate ACL for Domain Admins due to the fact that the
>>>>
>> creator
>>
>>>> owner is Domain Admin. Also I think that we should have the AI
>>>>
>> control
>>
>>>> flag as the SD is DACL_PROTECTED and that it has some (all?) ACL
>>>>
>> from
>>
>>>> the parent SD. Also those inherited ACE should have the flag DI
>>>> (although it isn't very clear what is the effect of this flag,
>>>>
>> seems
>>
>>>> more cosmetic than something else to me).
>>>>
>>>> O:S-1-5-21-487418869-183637953-2310109715-512G:
>>>> S-1-5-21-487418869-183637953-2310109715-513D:P
>>>>
>>>>
>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-487418869-183637953-231010971
>>
>>
>>>> 5-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-2
>>>> 1-487418869-183637953-2310109715-519)
>>>> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-
>>>>
>>>>
>>>>
>> 487418869-183637953-2310109715-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;C
>>
>>
>>>> O)(A;C
>>>> I;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
>>>> (A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-1
>>>> 1d1-b41d-00a0c968f939;;AU)
>>>> (A;CI;RPLCLORC;;;ED)
>>>> S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0
>>>>
>>>>
>>>>
>> -11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CII
>>
>>
>>>> DSA;WP
>>>>
>>>>
>>>>
>> ;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa00304
>>
>>
>>>> 9e2;WD
>>>> )
>>>>
>>>>
>>>>
>>>> In the same time here is the SD for a newly create gpo in w2k3:
>>>> They are identical for the DACL part, there is still some
>>>>
>> difference
>>
>>>> on
>>>> the sacl part. Also it's worth noting that the group is different
>>>>
>>>>
>>>>
>> O:S-1-5-21-3208502064-746857408-2662927446-512G:S-1-5-21-3208502064-746
>>
>>
>>>> 857408-2662927446-512
>>>> D:PAI
>>>>
>>>>
>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
>>
>>
>>>> 46-512)
>>>>
>>>>
>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
>>
>>
>>>> 46-519)
>>>>
>>>>
>> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-2662927446
>>
>>
>>>> -512)
>>>> (A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)
>>>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
>>>> (A;CI;RPLCLORC;;;AU)
>>>> (OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
>>>> (A;CI;RPLCLORC;;;ED)
>>>> S:AI
>>>>
>>>>
>> (OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
>>
>>
>>>> -a285-00aa003049e2;WD)
>>>>
>>>>
>> (OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
>>
>>
>>>> -a285-00aa003049e2;WD)
>>>> (OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)
>>>>
>>>>
>>>> Matthieu.
>>>>
>>>>
>>>
>
More information about the samba-technical
mailing list