Questions for ACL experts !

Nadezhda Ivanova nivanova at
Mon Jul 26 03:05:53 MDT 2010

Hi Matthieu,
I did some reading and it turns out that indeed, like in the case for SAM,
we will need separate SD database and access checking module for the LSA.
What we currently have should only be applicable to LDAP. Still, I have
answered your questions below to the best of my knowledge:

Answers below:

On Mon, Jul 26, 2010 at 10:58 AM, Matthieu Patou <mat at> wrote:

>  Hello Nadya,
> While working on backup key remote protocol I read part of the
> MS-LSAD.pdf file and more precisely this paragraph:
> " Secret Object Data Model
> It is said this:
> "The Name field uniquely identifies the secret by using a Unicode
> string. Two different secrets MUST
> have different names (the comparison is case -sensitive). The Name field
> MUST be read-only. To be
> considered valid, the length of the name in bytes MUST be even; it MUST
> be greater than 0 and less
> than 0x101. The secret name MUST NOT contain the "\" character.<38>
> The security descriptor field controls access to the secret object.
> Every secret object in the Local
> Security Authority (Domain Policy) Remote Protocol database that has
> Local Secret type MUST have
> a valid security descriptor. The security descriptor of Local Secret
> objects can be queried by calling
> the LsarQuerySecurityObject (section method and changed by
> calling the
> LsarSetSecurityObject (section method. The server MUST assign
> a default security
> descriptor to every newly created secret object, even if the client did
> not specify a default
> value.<39>"
> Should I conclude that we should not be able to modify the ACL of this
> kind of object by a normal call ? (ie. one that stores the
> nTsecurityDescriptor ?). If so are we able to do this ?

 I am not sure what you mean by normal call, but the way I understand it,
the user can provide an SD during object creation. What the paragraph means
that even if he doesnt, the server is responsible for creating a default SD
for the object. We currently do this. I am not sure, however, if this code
should apply to lsa as well to ldap.

 Also it seems that special attributes are not readable by administrator
> (or return nothing) have anything like that in our code that does it ?

Nope, we dont yet filter the reads. I started working on this and it broke
make test brutally, ahowing me how limited my perspective on access checks
was :). I am currently trying to find a way to separate the access checks
for the different protocols. Not sure when I'll get to the LSA part.


> Cheers Matthieu.
> note: sorry for the repost I forgot to put the list in copy !
> --
> Matthieu Patou
> Samba Team

More information about the samba-technical mailing list