ntacl and upgradeprovision patches

Matthieu Patou mat+Informatique.Samba at matws.net
Sun Jan 17 22:47:19 MST 2010

Hi tridge,
I already noted this any other remark, squashing of patch is ok for you?

tridge at samba.org wrote:

>Hi Matthieu,
>As I mentioned on IRC, I think the use of SID_NT_SELF in ntacls.py is
>incorrect. It passes it to from_sddl() which passes it down down to
>sddl_decode() and sddl_encode().
>That means that if someone specifies a bit of SDDL containing (for
>example) 'SA', meaning the domain schema admins, then the resulting
>security descriptor will instead put in a ACE for the bogus SID
>S-1-5-10-518 (which is SID_NT_SELF with -518 tacked on). The same goes
>for all the other domain SID two letter codes.
>I think you need to get the real domain SID for ntacls.py, and use it
>for both encoding and decoding of SDDL. 
>Cheers, Tridge

More information about the samba-technical mailing list