[PATCH] New LDAPCmp feature - compare security descriptors
zahari.zahariev at gmail.com
Wed Sep 29 19:41:04 MDT 2010
This is something that would come quite handy to people dealing with ACL
and security related issues around Samba4.
This new feature that enables LDAPCmp users to find unmatched or missing
ACEs in objects for the three naming contexts between DCs in one domain
(default) or different domains. Comparing security descriptors is not
the default action but attribute compatison. So to activate the new mode
there is --sd switch. However there are two view modes to the new --sd
action which are 'section' (default) or 'collision'. In 'section' mode
you can only find differences connected to missing or value unmatched
ACEs but not disorder unmatched if ACE values and count
are the same. All of the mentioned differences plus disorder ACE
unmatched you can observe under 'collision' view however it is more verbose.
In the links below you can see an example of both 'section' and
'collision' view for Samba4 DCs in two different domains x.x.x.14
(vampired from Win2008R1) and x.x.x.12 (vampired from Win2008R2). Here
* section view (default) - http://pastebin.com/F9XM7Nek
* collision view - http://pastebin.com/86SV6s20
P.S. Take in mind that passing no credentials is not very legal
(--username & --password) this can only pass against Samba4 (for now).
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the samba-technical