Python tests of Access Control Lists and Privileges

Richard Sharpe realrichardsharpe at
Mon Mar 26 09:18:54 MDT 2012

2012/3/26 Nadezhda Ivanova <nivanova at>:
> HI Richard,
> This is the approach most often taken when we worked on the DC acls. I would
> also suggest testing with permissions granted to the particular user, to a
> group, and testing conflicting permissions - granted to a group but
> forbidden to another group, with the user part of both for example. I know
> this is not an usual scenario, but we are talking security here :).
> I have not looked at your implementation and am a bit rusty in samba
> development, so forgive me if this is pointless, but I suggest you have a
> log for every access check that dumps the descriptors, it really helps to
> determine why a test has failed.

Thank you for your feedback. I don't yet have an implementation :-)
just some fixes to existing code so that I can implement something
that will fit into the existing framework.

Richard Sharpe

More information about the samba-technical mailing list