How to convert security_descriptor in samba to SECURITY_DESCRIPTOR in NT

Stefan (metze) Metzmacher metze at
Thu Apr 1 07:29:05 MDT 2010

Ted schrieb:
> So, you mean that ndr_pull_xattr_NTACL just pull a samba defined security descriptor from the data blob(NT format SECURITY_DESCRIPTOR), and ndr_push_xattr_NTACL push the samba defined security descriptor into the data blob(NT format SECURITY_DESCRIPTOR)? If you process the command NT_TRANSACT_QUERY_SECURITY_DESC, you should first call ndr_pull_xattr_NTACL and then ndr_push_xattr_NTACL.

Can you clarify what you're are exactly doing and what fails for you.
Are developing some code or do you think you've found a bug in existing

The blob's stored are not 100% the NT_TRANSACT_QUERY_SECURITY_DESC
returns (at least it should not).

We store a version number and an optional hash too, so we store a
xattr_NTACL marshalled into a blob and NT_TRANSACT_QUERY_SECURITY_DESC
should return a marshalled security_descriptor.

»·······const char *XATTR_NTACL_NAME = "security.NTACL";

»·······const int XATTR_SD_HASH_SIZE = 64;
»·······const int XATTR_SD_HASH_TYPE_NONE = 0x0;
»·······const int XATTR_SD_HASH_TYPE_SHA256 = 0x1;

»·······typedef [public] struct {
»·······»·······security_descriptor *sd;
»·······»·······uint8 hash[16];
»·······} security_descriptor_hash_v2; /* Hash never used in this
version. */

»·······typedef [public] struct {
»·······»·······security_descriptor *sd;
»·······»·······uint16 hash_type;
»·······»·······uint8 hash[64]; /* 64 bytes hash. */
»·······} security_descriptor_hash_v3;

»·······typedef [switch_type(uint16)] union {
»·······»·······[case(1)] security_descriptor *sd;
»·······»·······[case(2)] security_descriptor_hash_v2 *sd_hs2;
»·······»·······[case(3)] security_descriptor_hash_v3 *sd_hs3;
»·······} xattr_NTACL_Info;

»·······typedef [public] struct {
»·······»·······uint16 version;
»·······»·······[switch_is(version)] xattr_NTACL_Info info;
»·······} xattr_NTACL;

>> -----Original Message-----
>> From: Stefan (metze) Metzmacher [mailto:metze at]
>> Sent: Thursday, April 01, 2010 6:59 PM
>> To: Ted
>> Cc: samba-technical at
>> Subject: Re: How to convert security_descriptor in samba to
>> Ted schrieb:
>>> Hi, all
>>> I have read the CIFS Protocol document provided by Microsoft and the
>>> samba 3.5.0 source code.
>>> The CIFS Protocol document says that
>>> command allows a client to retrieve the security descriptor for a
>>> file. And the security descriptor is returned in the data portion of
>>> the transaction response.
>>> The code in samba process NT_TRANSACT_QUERY_SECURITY_DESC
>> command was
>>> just load the data blob in xattr and pull an xattr_NTACL out of the
>>> data blob by call ndr_pull_xattr_NTACL. The security_descriptor in
>>> xattr_NTACL was different from the definition of SECURITY_DESCRIPTOR
>>> in NT. So how does this work? Or does anybody know how to convert the
>>> samba security_descriptor to a NT SECURITY_DESCRIPTOR?
>> don't we do ndr_pull_xattr_NTACL() followed by a
>> ndr_push_security_descriptor()?
>> metze
> __________________________________________________
> �Ͽ�ע���Ż���������������?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list