[Samba] Need SDDL Format Security Descriptor (using libsmbclient.so)

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Wed Jan 8 21:32:31 UTC 2025


hi Nirmit,

This kind of question is probably best asked on the Samba Technical mailing list
(https://lists.samba.org/mailman/listinfo/samba-technical), which I will CC.

On 9/01/25 02:04, Nirmit Kansal via samba wrote:
> I am using smbc_getxattr() function (in libsmbclient.so) with the "system.nt_sec_desc" attribute to retrieve the security
descriptor, but this is not providing the descriptor information in SDDL format.
> Also, I am not able to find any attribute in smbc_getxattr() which can provide SDDL format.
> 
> I need to use the ACLs information extracted from smbc_getxattr() into windows SDK APIs such as
ConvertStringSecurityDescriptorToSecurityDescriptorW() / ConvertStringSecurityDescriptorToSecurityDescriptorA(), for
which SDDL is required as input.
> 
> So, I am struggling to get SDDL format security descriptor using smbc_getxattr() APIs. Is there any known resolution
to this? Do we have any API available in libsmbclient.so which can convert output value received from smbc_getxattr()
into SDDL format?
> 
> Any help is highly appreciated.

I don't know much about libsmbclient, but I know we do SDDL encoding in
sddl_encode() in libcli/security/sddl.c. It might not be publicly exposed.

It should also be possible to cast a Samba security descriptor to a Windows
one using the NDR wire format rather than SDDL.

cheers,
Douglas




More information about the samba-technical mailing list