Questions for ACL experts !

Matthieu Patou mat at
Mon Jul 26 01:58:05 MDT 2010

  Hello Nadya,

While working on backup key remote protocol I read part of the
MS-LSAD.pdf file and more precisely this paragraph:
" Secret Object Data Model".

It is said this:
"The Name field uniquely identifies the secret by using a Unicode
string. Two different secrets MUST
have different names (the comparison is case -sensitive). The Name field
MUST be read-only. To be
considered valid, the length of the name in bytes MUST be even; it MUST
be greater than 0 and less
than 0x101. The secret name MUST NOT contain the "\" character.<38>
The security descriptor field controls access to the secret object.
Every secret object in the Local
Security Authority (Domain Policy) Remote Protocol database that has
Local Secret type MUST have
a valid security descriptor. The security descriptor of Local Secret
objects can be queried by calling
the LsarQuerySecurityObject (section method and changed by
calling the
LsarSetSecurityObject (section method. The server MUST assign
a default security
descriptor to every newly created secret object, even if the client did
not specify a default

Should I conclude that we should not be able to modify the ACL of this
kind of object by a normal call ? (ie. one that stores the
nTsecurityDescriptor ?). If so are we able to do this ?

Also it seems that special attributes are not readable by administrator
(or return nothing) have anything like that in our code that does it ?

Cheers Matthieu.

note: sorry for the repost I forgot to put the list in copy !

Matthieu Patou
Samba Team

More information about the samba-technical mailing list