ntacl and upgradeprovision patches
tridge at samba.org
tridge at samba.org
Sun Jan 17 16:53:31 MST 2010
Hi Matthieu,
As I mentioned on IRC, I think the use of SID_NT_SELF in ntacls.py is
incorrect. It passes it to from_sddl() which passes it down down to
sddl_decode() and sddl_encode().
That means that if someone specifies a bit of SDDL containing (for
example) 'SA', meaning the domain schema admins, then the resulting
security descriptor will instead put in a ACE for the bogus SID
S-1-5-10-518 (which is SID_NT_SELF with -518 tacked on). The same goes
for all the other domain SID two letter codes.
I think you need to get the real domain SID for ntacls.py, and use it
for both encoding and decoding of SDDL.
Cheers, Tridge
More information about the samba-technical
mailing list