ntacl and upgradeprovision patches
Matthieu Patou
mat+Informatique.Samba at matws.net
Sun Jan 17 22:47:19 MST 2010
Hi tridge,
I already noted this any other remark, squashing of patch is ok for you?
Matthieu
tridge at samba.org wrote:
>Hi Matthieu,
>
>As I mentioned on IRC, I think the use of SID_NT_SELF in ntacls.py is
>incorrect. It passes it to from_sddl() which passes it down down to
>sddl_decode() and sddl_encode().
>
>That means that if someone specifies a bit of SDDL containing (for
>example) 'SA', meaning the domain schema admins, then the resulting
>security descriptor will instead put in a ACE for the bogus SID
>S-1-5-10-518 (which is SID_NT_SELF with -518 tacked on). The same goes
>for all the other domain SID two letter codes.
>
>I think you need to get the real domain SID for ntacls.py, and use it
>for both encoding and decoding of SDDL.
>
>Cheers, Tridge
More information about the samba-technical
mailing list