[PATCH] s4-dsacl: Fixed incorrect handling of privileges in sec_access_check_ds (was: [PATCH] s4-dsacl: Removed unnecessary privilege checks from sec_access_check_ds)

Nadezhda Ivanova nivanova at samba.org
Mon Oct 21 05:36:18 MDT 2013

Hi team,
Attached is a re-worked version of the patch that fixes handling of
Administrator privileges in access_check. The test in ldap.py is wrong, it
also fails against windows, and with good reason - the test breaks the
inheritance and changes the owner and group to an unexisting SID, therefore
cutting read access for everyone in the domain, it only passed before
because of the incorrect use of restore privilege. The new patch fixes that
problem, and adds correct use of the TakeOwnership privilege as described
in MS-DTYP Access Check Algorithm Pseudocode.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-dsacl-Fixed-incorrect-handling-of-privileges-in-s.patch
Type: application/octet-stream
Size: 4443 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131021/abf19bee/attachment.obj>

More information about the samba-technical mailing list