Questions for ACL experts !
mat at samba.org
Mon Jul 26 01:58:05 MDT 2010
While working on backup key remote protocol I read part of the
MS-LSAD.pdf file and more precisely this paragraph:
"22.214.171.124 Secret Object Data Model".
It is said this:
"The Name field uniquely identifies the secret by using a Unicode
string. Two different secrets MUST
have different names (the comparison is case -sensitive). The Name field
MUST be read-only. To be
considered valid, the length of the name in bytes MUST be even; it MUST
be greater than 0 and less
than 0x101. The secret name MUST NOT contain the "\" character.<38>
The security descriptor field controls access to the secret object.
Every secret object in the Local
Security Authority (Domain Policy) Remote Protocol database that has
Local Secret type MUST have
a valid security descriptor. The security descriptor of Local Secret
objects can be queried by calling
the LsarQuerySecurityObject (section 126.96.36.199.1) method and changed by
LsarSetSecurityObject (section 188.8.131.52.2) method. The server MUST assign
a default security
descriptor to every newly created secret object, even if the client did
not specify a default
Should I conclude that we should not be able to modify the ACL of this
kind of object by a normal call ? (ie. one that stores the
nTsecurityDescriptor ?). If so are we able to do this ?
Also it seems that special attributes are not readable by administrator
(or return nothing) have anything like that in our code that does it ?
note: sorry for the repost I forgot to put the list in copy !
Samba Team http://samba.org
More information about the samba-technical