How to convert security_descriptor in samba to SECURITY_DESCRIPTOR in NT
Stefan (metze) Metzmacher
metze at samba.org
Thu Apr 1 07:29:05 MDT 2010
Ted schrieb:
> So, you mean that ndr_pull_xattr_NTACL just pull a samba defined security descriptor from the data blob(NT format SECURITY_DESCRIPTOR), and ndr_push_xattr_NTACL push the samba defined security descriptor into the data blob(NT format SECURITY_DESCRIPTOR)? If you process the command NT_TRANSACT_QUERY_SECURITY_DESC, you should first call ndr_pull_xattr_NTACL and then ndr_push_xattr_NTACL.
Can you clarify what you're are exactly doing and what fails for you.
Are developing some code or do you think you've found a bug in existing
code?
The blob's stored are not 100% the NT_TRANSACT_QUERY_SECURITY_DESC
returns (at least it should not).
We store a version number and an optional hash too, so we store a
xattr_NTACL marshalled into a blob and NT_TRANSACT_QUERY_SECURITY_DESC
should return a marshalled security_descriptor.
»·······const char *XATTR_NTACL_NAME = "security.NTACL";
»·······const int XATTR_SD_HASH_SIZE = 64;
»·······const int XATTR_SD_HASH_TYPE_NONE = 0x0;
»·······const int XATTR_SD_HASH_TYPE_SHA256 = 0x1;
»·······typedef [public] struct {
»·······»·······security_descriptor *sd;
»·······»·······uint8 hash[16];
»·······} security_descriptor_hash_v2; /* Hash never used in this
version. */
»·······typedef [public] struct {
»·······»·······security_descriptor *sd;
»·······»·······uint16 hash_type;
»·······»·······uint8 hash[64]; /* 64 bytes hash. */
»·······} security_descriptor_hash_v3;
»·······typedef [switch_type(uint16)] union {
»·······»·······[case(1)] security_descriptor *sd;
»·······»·······[case(2)] security_descriptor_hash_v2 *sd_hs2;
»·······»·······[case(3)] security_descriptor_hash_v3 *sd_hs3;
»·······} xattr_NTACL_Info;
»·······typedef [public] struct {
»·······»·······uint16 version;
»·······»·······[switch_is(version)] xattr_NTACL_Info info;
»·······} xattr_NTACL;
metze
>> -----Original Message-----
>> From: Stefan (metze) Metzmacher [mailto:metze at samba.org]
>> Sent: Thursday, April 01, 2010 6:59 PM
>> To: Ted
>> Cc: samba-technical at lists.samba.org
>> Subject: Re: How to convert security_descriptor in samba to
>> SECURITY_DESCRIPTOR in NT
>>
>> Ted schrieb:
>>> Hi, all
>>>
>>> I have read the CIFS Protocol document provided by Microsoft and the
>>> samba 3.5.0 source code.
>>>
>>> The CIFS Protocol document says that
>> NT_TRANSACT_QUERY_SECURITY_DESC
>>> command allows a client to retrieve the security descriptor for a
>>> file. And the security descriptor is returned in the data portion of
>>> the transaction response.
>>>
>>> The code in samba process NT_TRANSACT_QUERY_SECURITY_DESC
>> command was
>>> just load the data blob in xattr and pull an xattr_NTACL out of the
>>> data blob by call ndr_pull_xattr_NTACL. The security_descriptor in
>>> xattr_NTACL was different from the definition of SECURITY_DESCRIPTOR
>>> in NT. So how does this work? Or does anybody know how to convert the
>>> samba security_descriptor to a NT SECURITY_DESCRIPTOR?
>> don't we do ndr_pull_xattr_NTACL() followed by a
>> ndr_push_security_descriptor()?
>>
>> metze
>>
>
>
> __________________________________________________
> �Ͽ�ע���Ż���������������?
> http://cn.mail.yahoo.com
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100401/90ea2708/attachment.pgp>
More information about the samba-technical
mailing list