ldap object access controls

Nadezhda Ivanova nivanova at samba.org
Fri May 4 12:51:36 UTC 2018

Not to mention it's not very easy :). Even in the decoded form, you need 
to know which SIDs mean which accounts, which GUIDs mean which property 
sets or objects, and you need to be aware of the rules of ordering. 
Information of nTSecurityDescriptor can be found in MS-ADTS (Somewhere 
in section 5), and MS-DTYP. Scripts or tools are the way to go.

On 05/04/2018 03:26 PM, Denis Cardon via samba-technical wrote:
> Hi William,
> I don't think it is advisable to directly edit the ntSecurityDescriptor 
> attributes. If you don't mind using some python, you can get some 
> inspiration from Andrew's mitigation script for CVE-2018-1057 mitigation 
> [1]. I used it as a basis for implementing some ACL handling at clients 
> recently.
> Cheers,
> Denis
> [1] https://download.samba.org/pub/samba/misc/samba_CVE-2018-1057_helper
>> Thank you!

More information about the samba-technical mailing list