a few SD questions

Nadezhda Ivanova nadezhda.ivanova at postpath.com
Mon Nov 23 08:19:24 MST 2009 

Eventually yes. Got to ask Zahari what is the purpose of this test...

----- Original Message -----
> From: Matthias Dieter Wallnöfer <mdw at samba.org>
> To: Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
> Cc: mat at matws.net <mat at matws.net>, abartlet at samba.org <abartlet at samba.org>, samba-technical at lists.samba.org <samba-technical at lists.samba.org>
> Sent: Monday, November 23, 2009 5:15:00 PM GMT+0200 Europe;Athens
> Subject: Re: a few SD questions

> > Nadya,
> 
> Ah, okay.
> 
> Regarding security descriptors: this still fails in ldap.py  (at least 
> 
> on my box). Do you plan investigations?
> 
> > test: Test add_ldif() with BASE64 security descriptor input using 
> > WRONG domain SID
> ...
> > failure: Test add_ldif() with BASE64 security descriptor input using 
> 
> > WRONG domain SID [
> > Traceback (most recent call last):
> >   File "./lib/ldb/tests/python/ldap.py", line 1730, in 
> > test_security_descriptor_add_neg
> >     self.assertRaises(KeyError, lambda: 
> res[0]["nTSecurityDescriptor"])
> > AssertionError: KeyError not raised
> > ]
> Greets,
> Matthias
> 
> Nadezhda Ivanova wrote:
> > Hi Matthias,
> > I have some more work to do on access checks for the search request 
> - as you can see, acl.c does not yet handle them. I expect this will 
> be done by the end of the week. After that, kludge will stay in the 
> codebase for a little while, and will be optionally enabled by a 
> configuration parameter. This will allow testers (read ekacnet) to 
> fall back to it if some very serious bug is found. I suppose 
> eventually we will remove it altogether.
> >
> > Regards,
> > Nadya
> > ----- Original Message -----
> >    
> >> From: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> To: Nadezhda Ivanova<nadezhda.ivanova at postpath.com>
> >> Cc: mat at matws.net<mat at matws.net>, 
> samba-technical at lists.samba.org<samba-technical at lists.samba.org>, 
> Andrew Bartlett<abartlet at samba.org>
> >> Sent: Monday, November 23, 2009 4:00:21 PM GMT+0200 Europe;Athens
> >> Subject: Re: a few SD questions
> >>      
> >    
> >>> Hi Nadya,
> >>>        
> >> (maybe a bit out of topic - but I think it's worth to ask) do you 
> plan
> >>
> >> to remove the "kludge_acl" module? I think with your recent work 
> it's
> >> nearly obsolete and I personally don't see it useful anymore (to be
> >> honest I would like to see it dropped soon). I think with some 
> minor
> >> work and suggestions by abartlet it should be feasible.
> >>
> >> Matthias
> >>
> >> Nadezhda Ivanova wrote:
> >>      
> >>> Hi Mattieu,
> >>> Thanks for the research. I do not understand however why you 
> expect
> >>>        
> >> to have an ID (I assume that is what you mean by DI) flag in the 
> DACL
> >> ace. The DACL has the P flag, which means break inheritance - we 
> are
> >> not supposed to inherit anything from the parent in the DACL. This 
> is
> >> also the case in the win2k3 descriptor that you have pasted. In 
> that
> >> descriptor you seem to have nothing inherited in the DACL as well.
> >>      
> >>> The sacl seems to me missing an inherit only flag, will have to
> >>>        
> >> debug what is causing this...
> >>      
> >>> I am also not sure about the differences in the group. Are you 
> sure
> >>>        
> >> the policy in win2k3 has been created without providing an owner or 
> a
> >> group?
> >>      
> >>> Regards,
> >>> Nadya
> >>> ----- Original Message -----
> >>>
> >>>        
> >>>> From: Matthieu Patou<mat at matws.net>
> >>>> To: samba-technical<samba-technical at lists.samba.org>, Nadezhda
> >>>>          
> >> Ivanova<nadezhda.ivanova at postpath.com>
> >>      
> >>>> Sent: Monday, November 23, 2009 8:42:09 AM GMT+0200 Europe;Athens
> >>>> Subject: a few SD questions
> >>>>
> >>>>          
> >>>
> >>>        
> >>>>> Hello nadya,
> >>>>>
> >>>>>            
> >>>> I made some tests today with GPO and it seems that things are
> >>>>          
> >> getting
> >>      
> >>>> a
> >>>> lot more better
> >>>>
> >>>> Below it's the SD for a newly created policy, it quite OK just we
> >>>>          
> >> have
> >>      
> >>>> the duplicate ACL for Domain Admins due to the fact that the
> >>>>          
> >> creator
> >>      
> >>>> owner is Domain Admin. Also I think that we should have the AI
> >>>>          
> >> control
> >>      
> >>>> flag as the SD is DACL_PROTECTED and that it has some (all?) ACL
> >>>>          
> >> from
> >>      
> >>>> the parent SD. Also those inherited ACE should have the flag DI
> >>>> (although it isn't very clear what is the effect of this flag,
> >>>>          
> >> seems
> >>      
> >>>> more cosmetic than something else to me).
> >>>>
> >>>> O:S-1-5-21-487418869-183637953-2310109715-512G:
> >>>> S-1-5-21-487418869-183637953-2310109715-513D:P
> >>>>
> >>>>          
> >> 
> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-487418869-183637953-231010971
> 
> >>
> >>      
> >>>> 5-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-2
> >>>>     1-487418869-183637953-2310109715-519)
> >>>> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-
> >>>>
> >>>>
> >>>>          
> >> 
> 487418869-183637953-2310109715-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;C
> 
> >>
> >>      
> >>>> O)(A;C
> >>>>     I;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
> >>>> (A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-1
> >>>>     1d1-b41d-00a0c968f939;;AU)
> >>>> (A;CI;RPLCLORC;;;ED)
> >>>> S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0
> >>>>
> >>>>
> >>>>          
> >> 
> -11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CII
> 
> >>
> >>      
> >>>> DSA;WP
> >>>>
> >>>>
> >>>>          
> >> 
> ;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa00304
> 
> >>
> >>      
> >>>> 9e2;WD
> >>>>     )
> >>>>
> >>>>
> >>>>
> >>>> In the same time here is the SD for a newly create gpo in w2k3:
> >>>> They are identical for the DACL part, there is still some
> >>>>          
> >> difference
> >>      
> >>>> on
> >>>> the sacl part. Also it's worth noting that the group is different
> >>>>
> >>>>
> >>>>          
> >> 
> O:S-1-5-21-3208502064-746857408-2662927446-512G:S-1-5-21-3208502064-746
> 
> >>
> >>      
> >>>> 857408-2662927446-512
> >>>> D:PAI
> >>>>
> >>>>          
> >> 
> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
> 
> >>
> >>      
> >>>> 46-512)
> >>>>
> >>>>          
> >> 
> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
> 
> >>
> >>      
> >>>> 46-519)
> >>>>
> >>>>          
> >> 
> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-2662927446
> 
> >>
> >>      
> >>>> -512)
> >>>> (A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)
> >>>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
> >>>> (A;CI;RPLCLORC;;;AU)
> >>>> (OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
> >>>> (A;CI;RPLCLORC;;;ED)
> >>>> S:AI
> >>>>
> >>>>          
> >> 
> (OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
> 
> >>
> >>      
> >>>> -a285-00aa003049e2;WD)
> >>>>
> >>>>          
> >> 
> (OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
> 
> >>
> >>      
> >>>> -a285-00aa003049e2;WD)
> >>>> (OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)
> >>>>
> >>>>
> >>>> Matthieu.
> >>>>
> >>>>          
> >>>        
> >

More information about the samba-technical mailing list