ntacl and upgradeprovision patches

tridge at samba.org tridge at samba.org
Sun Jan 17 16:53:31 MST 2010

Hi Matthieu,

As I mentioned on IRC, I think the use of SID_NT_SELF in ntacls.py is
incorrect. It passes it to from_sddl() which passes it down down to
sddl_decode() and sddl_encode().

That means that if someone specifies a bit of SDDL containing (for
example) 'SA', meaning the domain schema admins, then the resulting
security descriptor will instead put in a ACE for the bogus SID
S-1-5-10-518 (which is SID_NT_SELF with -518 tacked on). The same goes
for all the other domain SID two letter codes.

I think you need to get the real domain SID for ntacls.py, and use it
for both encoding and decoding of SDDL. 

Cheers, Tridge

More information about the samba-technical mailing list