bugs in the (re)calculation of SDs ?

Matthieu Patou mat at samba.org
Tue Jun 14 07:58:00 MDT 2011 

On 14/06/2011 02:44, Nadezhda Ivanova wrote:
> Hi Mat,
> As far as I remember, Matthias hard-coded the SD on Sites to compensate for
> a bug which I later fixed. It was a few months ago so I have forgotten the
> exact case, but I believe the problem was that because of  an incorrect
> function for finding an object's partition, partitions inherited ACEs from
> the default naming context.
Well obviously we still have a problem as we are not able to calculate 
the same as the one that are hard coded.
Did you push your fix in master ?

I made a small analysis and got this:

w2k8r2
O:EAG:EA
D:
AI
(A;;RPLCLORC;;;AU)
(A;;RPWPCRCCLCLORCWOWDSW;;;EA)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)
(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;DA)
(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;ER)

recalcalcultated
O:EAG:DU
D:
AI
(A;;RPLCLORC;;;AU)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)
(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;DA)

in provision/__init__.py
"D:(A;;RPLCLORC;;;AU)" \
"(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \
"(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \

in a new provision
O:EAG:DU
D:
AI
(A;;RPLCLORC;;;AU)
(A;;RPWPCRCCLCLORCWOWDSW;;;EA)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)
(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;DA)


in a ~alpha11 provision
O:EAG:DU
D:
AI
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPLCLORC;;;AU)
(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)
(A;CIIOID;RPWPCRCCLCLORCWOWDSDSW;;;DA)


So it looks like the one of the provision with the hard coded ACL gives 
the best result (the most similar to Windows 2008), the difference can 
come from the different forest level (w2k3 against w2k8).


>   This was fixed, but I do not remember why the
> hard-coded SD remains, I'll take a look.

>   As for SACLs, their creation
> follows the general SD rules but I haven't really tested those as up to now
> they weren't of interest, as they mostly govern features such as auditing
> that Samba does not yet support, so it is possible something is still buggy
> there.
Ok maybe it's better not to check them ? or do you plan to fix it ?
>   I'll get on IRC tomorrow and try to reproduce and analyze the issue.
> Just curious, what tool are you using to compare SDs?

There is a function in upgradehelpers: get_diff_sddls. It transforms SD 
into SDDL and then chunck it and check each chunk between the reference 
and the current provision.

For the moment the function don't pay attention to the order. I don't 
remember what's the result of your talk with Microsoft about this, but 
it might need a fix.


So after this "bla bla" what's the plan ?

Matthieu.
>
> Regards,
> Nadya
>
> On Tue, Jun 14, 2011 at 12:55 AM, Matthieu Patou<mat at samba.org>  wrote:
>
>> On 14/06/2011 01:35, Matthieu Patou wrote:
>>
>>> Hello Nadya, and all !
>>>
>>> I'm working one more time on upgradeprovision and I'm facing some
>>> "challenges" with the security descriptors.
>>> In the attached log you have the output of upgradeprovision after the
>>> second run on a given provision. At this point we expect the two provision
>>> to be quite similar. It's the case but the differences are on the SDs and
>>> they are not very small. This occur despite the fact that the first run has
>>> modified all the objects with the recalculate_sd control so *normaly* we
>>> should have the correct SD with the correct calculation method.
>>>
>>> Can you have a look ?
>>>
>>>   Ok, that's not that strange I just didn't really called recalculate,
>> still have this:
>>
>> On object CN=SMTP,CN=Inter-Site
>> Transports,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is
>> different
>>     Current ACL hasn't a sacl part
>>
>> On object CN=IP,CN=Inter-Site
>> Transports,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is
>> different
>>     Current ACL hasn't a sacl part
>>
>> On object
>> CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp
>> ACL is different
>>     Current ACL hasn't a sacl part
>>
>> On object CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site
>> Transports,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is
>> different
>>     Current ACL hasn't a sacl part
>>
>> On object CN=Inter-Site
>> Transports,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is
>> different
>>     Current ACL hasn't a sacl part
>>
>> On object CN=Subnets,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp
>> ACL is different
>>     Current ACL hasn't a sacl part
>>
>> On object
>> CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp
>> ACL is different
>>     Current ACL hasn't a sacl part
>>
>> On object CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is
>> different
>>     Part dacl is different between reference and current here is the detail:
>>         (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) ACE is not present in the
>> reference
>>         (A;;RPWPCRCCLCLORCWOWDSW;;;EA) ACE is not present in the current
>>     Current ACL hasn't a sacl part
>>
>> On object CN=NTDS
>> Settings,CN=ARES,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp
>> ACL is different
>>     Current ACL hasn't a sacl part
>>
>> On object
>> CN=ARES,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp
>> ACL is different
>>     Current ACL hasn't a sacl part
>>
>> On object CN=NTDS Site
>> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp
>> ACL is different
>>     Current ACL hasn't a sacl part
>>
>> So most of the objects are Ok but we have a couple where there is no sacl
>> part ...
>>
>> The difference on "Sites" is logical as we don't do the usual ACL
>> calculation, the question is why in this changeset 8b9a08e1 (Matthias allo
>> ?) we started to set it in hard. Or more exactly why aren't we able to
>> calculate it correctly (question to dochelp maybe).
>>
>>
>> Matthieu.-- Matthieu Patou Samba Team http://samba.org Private repo
>> http://git.samba.org/?p=mat/samba.git;a=summary
>>


-- 
Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary

More information about the samba-technical mailing list