Questions for ACL experts !

Nadezhda Ivanova nivanova at
Mon Jul 26 02:21:07 MDT 2010

Hi Matthieu,
It is quite possible that the LSA, like the SAMR, has its own semantics of
ACLs, including different meanings of flags, which requires a different set
of security descriptors for that protocol. I do not know if you read my last
mail on the subject, but what we have implemented are the security
descriptors and access checks pertaining to LDAP, which should not be
applied to other protocols. This is currently not the case, as the ACL
module is in ldb and influences all queries to ldb regardless of the
originating protocol. It hasn't been a problem up to now, but when I started
work on the searches, it showed up. I am still struggling on how to resolve
this issue, which is a serious design problem. I will, however, take a look
at MS-LSA and give a more definite answer to your question later today.


On Mon, Jul 26, 2010 at 10:58 AM, Matthieu Patou <mat at> wrote:

>  Hello Nadya,
> While working on backup key remote protocol I read part of the
> MS-LSAD.pdf file and more precisely this paragraph:
> " Secret Object Data Model".
> It is said this:
> "The Name field uniquely identifies the secret by using a Unicode
> string. Two different secrets MUST
> have different names (the comparison is case -sensitive). The Name field
> MUST be read-only. To be
> considered valid, the length of the name in bytes MUST be even; it MUST
> be greater than 0 and less
> than 0x101. The secret name MUST NOT contain the "\" character.<38>
> The security descriptor field controls access to the secret object.
> Every secret object in the Local
> Security Authority (Domain Policy) Remote Protocol database that has
> Local Secret type MUST have
> a valid security descriptor. The security descriptor of Local Secret
> objects can be queried by calling
> the LsarQuerySecurityObject (section method and changed by
> calling the
> LsarSetSecurityObject (section method. The server MUST assign
> a default security
> descriptor to every newly created secret object, even if the client did
> not specify a default
> value.<39>"
> Should I conclude that we should not be able to modify the ACL of this
> kind of object by a normal call ? (ie. one that stores the
> nTsecurityDescriptor ?). If so are we able to do this ?
> Also it seems that special attributes are not readable by administrator
> (or return nothing) have anything like that in our code that does it ?
> Cheers Matthieu.
> note: sorry for the repost I forgot to put the list in copy !
> --
> Matthieu Patou
> Samba Team

More information about the samba-technical mailing list