[PATCH] Basic Ldb unittests involving nTSecurityDescriptor

Zahari Zahariev zahari.zahariev at postpath.com
Wed Sep 2 09:43:35 MDT 2009 

Andrew Bartlett wrote:
> On Wed, 2009-08-26 at 21:59 +1000, Andrew Bartlett wrote:
>   
>> On Thu, 2009-08-13 at 15:07 +0300, Zahari Zahariev wrote:
>>     
>>> Hello Samba4,
>>>
>>> These are some unittest that prove whether ldb.modify_ldif() or 
>>> ldb.add_ldif() works correctly with nTSecurityDescriptor attributes.
>>>
>>> After Andrew's fix a week ago almost everything works fine. The problem 
>>> I found while preparing these tests is where you have a descriptor like 
>>> "O:DUG:DUD:PAI(A;;RPWP;;;AU)S:PAI" and you want to pass it in BASE64 
>>> format in a ldif either to ldb.modify_ldif() or db.add_ldif() -- the 
>>> result is that nTSecurityDescriptor attribute disappears.
>>>
>>> Tests are prepared against Windows 2003 AD Server.
>>>       
>> The reason the nTSecurityDescriptor dissapears is that it is invalid.
>> We send it, but the server ignores it.  (Pity it does not send an error)
>>
>> Look at the attached PCAP file, generated with the attached patch
>> against Window 2003.  In short, the domain SID S-1-5-21 is invalid - the
>> SDDL works because we query the real SID from the server during
>> parsing. 
>>
>> If you replace that SID with the real one, I bet the tests will pass. 
>>     
>
> I've added a function to get you the Domain SID easily, and modified the
> functions to use it.  Things are still not good, but look at these
> patches and see if you can fix things from here.
>
> Once things pass against Windows 2008, we can merge them (with
> known-failures against Samba4 until the ACL patches land)
>
> Andrew Bartlett
>
>   
Hello Andrew & Samba team,

I took a deeper look into the problem and it turned out the root of the
problem is that security.dom_sid('S-1-5-21') is a WRONG SID to parse
your SDDL string with.

The right way is to use the correct domain SID for your current
environment (suggested from Andrew). However the value ldb.doamin_sid()
did not work for me it was None so I consulted Nadya to see how she did
it for the provisioning of security descriptors so I have included
self.find_domain_sid() for that purpose. Using this domain SID all
unittests that had problems in previous emails above are now *perfectly
fine*.

Additional thing is that I added a unittest with wrong SID (the one I
was using so far) initially changed by Andrew.

P.S. Special thanks to Andrew and Nadya for their help.

Cheers!

    --Zahari
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-Basic-tests-for-nTSceurityDescriptor-both-SDDL-and-B.patch
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090902/c9202e8c/attachment.ksh>

More information about the samba-technical mailing list