SDDL parsing errors (missing FA flag)
Andrew Bartlett
abartlet at samba.org
Sat Nov 10 19:55:58 MST 2012
On Tue, 2012-11-06 at 20:41 +0000, Alex Matthews wrote:
>
> I have just attempted to set the ACL on the sysvol directory using
> samba-tool ntacl set and got the following message:
>
> /usr/local/samba/var/locks# ../../bin/samba-tool ntacl set
> "D:AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICIIOID;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO)"
> sysvol -d 2
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Unknown flag - FA in FA
> Badly formatted SDDL
> 'AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICIIOID;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO)'
> ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to
> parse SDDL
> FA is listed on the Microsoft ACE String page as FILE_ALL_ACCESS
> (http://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928(v=vs.85).aspx
> <http://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928%28v=vs.85%29.aspx>)
>
> Is it correct that the sddl parser cannot parse FA?
Yes, that flag appears to be missing. Please file a bug, and/or patch
up libcli/security/sddl.c to handle that flag.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list