[PATCH] samba-tool schema attribute query_oc

William Brown william at blackhats.net.au
Mon May 14 03:02:23 UTC 2018


On Wed, 2018-05-09 at 10:40 +1200, Andrew Bartlett wrote:
> Taking a look over this for the first time, I noticed this:
> 
> On Wed, 2018-05-02 at 10:18 +1200, William Brown via samba-technical
> wrote:
> > 0x1: create an equality index for this attribute.
> > +    0x2: create a container index for this attribute (ie OU).
> > +    0x4: specify that this attribute is a member of the ambiguous
> > name
> > +         resolution set.
> > +    0x8: indicate that the value of this attribute should be
> > preserved when
> > +         the object is converted to a tombstone (deleted).
> > +    0x10: hint to clients that this attribute should be copied.
> > +    0x20: create a tuple index for this attribute. This is used in
> > substring
> > +          queries.
> > +    0x40: create a browsing index for this attribute. VLV searches
> > require this.
> > +    0x80: indicate that the attribute is confidental and requires
> > special access
> > +          checks.
> > +    0x100: indicate that changes to this value should NOT be
> > audited.
> > +    0x200: indicate that this value should not be replicated to
> > RODCs.
> > +    0x400: indicate to the DC to perform extra link tracking.
> > +    0x800: indicate that this attribute should only be displayed
> > when the search
> > +           scope of the query is SCOPE_BASE or a single object
> > result.
> > +    0x1000: indicate that this attribute is a partition secret and
> > requires
> > +            special access checks.
> 
> I think we should ensure the flags are modified by string (eg fI, not
> by integer (so we don't have magic int values in scripts that will be
> written around this) and just support the values that Samba supports
> for now. 
> 
> Please use these names from python/samba/ms_schema.py:
> 
> # ADTS: 2.2.9
> # bit positions as labeled in the docs
> bitFields["searchflags"] = {
>     'fATTINDEX': 31,         # IX
>     'fPDNTATTINDEX': 30,     # PI
>     'fANR': 29,  # AR
>     'fPRESERVEONDELETE': 28,         # PR
>     'fCOPY': 27,     # CP
>     'fTUPLEINDEX': 26,       # TP
>     'fSUBTREEATTINDEX': 25,  # ST
>     'fCONFIDENTIAL': 24,     # CF
>     'fNEVERVALUEAUDIT': 23,  # NV
>     'fRODCAttribute': 22,    # RO
> 
> 
>     # missing in ADTS but required by LDIF
>     'fRODCFilteredAttribute': 22,    # RO ?
>     'fCONFIDENTAIL': 24, # typo
>     'fRODCFILTEREDATTRIBUTE': 22 # case
>     }
> 
> 
> The rest looks quite useful and reasonable, but I need to look over
> it
> again more carefully.

So that section you mention is documentation, not code. To be sure of
what you are asking:

Do you want the documentation updated to match the bit positions?

Or are you asking that the command take the "named bit location" and
then OR's the result to create the schema behaviour value? IE:

/usr/local/samba/bin/samba-tool schema attribute modify --
searchflags="fATTINDEX,fSUBTREEATTINDEX,fCONFIDENTIAL"

I suspect this is your request, but I want to be sure,

Thanks, 

William



More information about the samba-technical mailing list