nadezhda.ivanova at postpath.com
Wed Oct 28 08:42:35 MDT 2009
I have been debugging the ACL module modify access checks, and it seems to work, but I still get a lot of errors in make test. I did some investigating and here is what I found. Some tests, for example rpc.schannel, create an object and after that attempt to modify an attribute called clearTextPassword. Now, when performing an access check on a modify operation, the acl module looks for the attribute to be modified in the dsdb_schema, because we need that attribute's GUID or securityGUID to check if the user has write access granted for it. However, this attribute is not found in the schema, and since it is not actually correct to instantiate an attribute that is not in the schema, acl module returns operations error... This attribute does not seem to be supported by MS schema. A quick search suggests that it is used in Samba to set unicode passwords, if I am not mistaken (password_hash.c). However, it still seems incorrect to allow use of an undefined attribute. We could make an exception for this attribute in particular in acl.c, but do we always allow access, or allow access only for administrator? Any ideas?
More information about the samba-technical