SDDL parsing errors (missing FA flag)

Andrew Bartlett abartlet at samba.org
Sat Nov 10 19:55:58 MST 2012


On Tue, 2012-11-06 at 20:41 +0000, Alex Matthews wrote:

> 
> I have just attempted to set the ACL on the sysvol directory using 
> samba-tool ntacl set and got the following message:
> 
> /usr/local/samba/var/locks# ../../bin/samba-tool ntacl set 
> "D:AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICIIOID;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO)" 
> sysvol -d 2
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Unknown flag - FA in FA
> Badly formatted SDDL 
> 'AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICIIOID;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO)'
> ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to 
> parse SDDL

> FA is listed on the Microsoft ACE String page as FILE_ALL_ACCESS 
> (http://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928(v=vs.85).aspx 
> <http://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928%28v=vs.85%29.aspx>)
> 
> Is it correct that the sddl parser cannot parse FA?

Yes, that flag appears to be missing.  Please file a bug, and/or patch
up libcli/security/sddl.c to handle that flag.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list