Need Security Descriptor in SDDL Format (using libsmbclient.so)

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Fri Jan 24 03:36:39 UTC 2025


On 9/01/25 19:19, Nirmit Kansal via samba-technical wrote:
> I am using the smbc_getxattr() function (from libsmbclient.so) with the system.nt_sec_desc attribute to retrieve the security descriptor. However, the retrieved descriptor is in binary format, not in SDDL. Additionally, I couldn't find any attribute in smbc_getxattr() that directly provides the security descriptor in SDDL format.
> I need the ACL information in SDDL format to use with Windows SDK APIs like ConvertStringSecurityDescriptorToSecurityDescriptorW() or ConvertStringSecurityDescriptorToSecurityDescriptorA(), which require SDDL as input.
> Is there a way to obtain the security descriptor in SDDL format using libsmbclient.so, or an API available in Samba to convert the binary descriptor retrieved by smbc_getxattr() into SDDL format?
> Any guidance would be greatly appreciated.

OK, it seems like we don't offer that in a public library, which is sort 
of a shame, because we have by far the most complete SDDL encoder and 
compiler outside of Windows. (OTOH, I am happy, because maintaining 
public APIs is a real nuisance).

We do export it in Python however, using `sd.as_sddl(domain_sid)`, as 
seen in this context:

https://gitlab.com/samba-team/devel/samba/-/blob/master/python/samba/tests/sddl.py?ref_type=heads#L75

In an earlier message I wrote:

>> It should also be possible to cast a Samba security descriptor to a Windows
>> one using the NDR wire format rather than SDDL.

I still think this might be the way to go. It isn't common to transfer 
security descriptors as SDDL. Usually Windows and Samba just pass the 
bytes back and forth.

Douglas




More information about the samba-technical mailing list