[PATCH] New LDAPCmp feature - compare security descriptors

Zahari Zahariev zahari.zahariev at gmail.com
Wed Sep 29 19:41:04 MDT 2010


  Hi list,

This is something that would come quite handy to people dealing with ACL 
and security related issues around Samba4.

This new feature that enables LDAPCmp users to find unmatched or missing 
ACEs in objects for the three naming contexts between DCs in one domain 
(default) or different domains. Comparing security descriptors is not 
the default action but attribute compatison. So to activate the new mode 
there is --sd switch. However there are two view modes to the new --sd 
action which are 'section' (default) or 'collision'. In 'section' mode 
you can only find differences connected to missing or value unmatched 
ACEs but not disorder unmatched if ACE values and count
are the same. All of the mentioned differences plus disorder ACE 
unmatched you can observe under 'collision' view however it is more verbose.

In the links below you can see an example of both 'section' and 
'collision' view for Samba4 DCs in two different domains x.x.x.14 
(vampired from Win2008R1) and x.x.x.12 (vampired from Win2008R2). Here 
they are:

    * section view (default) - http://pastebin.com/F9XM7Nek
    * collision view - http://pastebin.com/86SV6s20

P.S. Take in mind that passing no credentials is not very legal 
(--username & --password) this can only pass against Samba4 (for now).

Thanks!


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-LDAPCmp-feature-to-compare-nTSecurityDescriptors.patch
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100930/e92392f0/attachment.ksh>


More information about the samba-technical mailing list