Need Security Descriptor in SDDL Format (using libsmbclient.so)
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Fri Jan 24 03:36:39 UTC 2025
On 9/01/25 19:19, Nirmit Kansal via samba-technical wrote:
> I am using the smbc_getxattr() function (from libsmbclient.so) with the system.nt_sec_desc attribute to retrieve the security descriptor. However, the retrieved descriptor is in binary format, not in SDDL. Additionally, I couldn't find any attribute in smbc_getxattr() that directly provides the security descriptor in SDDL format.
> I need the ACL information in SDDL format to use with Windows SDK APIs like ConvertStringSecurityDescriptorToSecurityDescriptorW() or ConvertStringSecurityDescriptorToSecurityDescriptorA(), which require SDDL as input.
> Is there a way to obtain the security descriptor in SDDL format using libsmbclient.so, or an API available in Samba to convert the binary descriptor retrieved by smbc_getxattr() into SDDL format?
> Any guidance would be greatly appreciated.
OK, it seems like we don't offer that in a public library, which is sort
of a shame, because we have by far the most complete SDDL encoder and
compiler outside of Windows. (OTOH, I am happy, because maintaining
public APIs is a real nuisance).
We do export it in Python however, using `sd.as_sddl(domain_sid)`, as
seen in this context:
https://gitlab.com/samba-team/devel/samba/-/blob/master/python/samba/tests/sddl.py?ref_type=heads#L75
In an earlier message I wrote:
>> It should also be possible to cast a Samba security descriptor to a Windows
>> one using the NDR wire format rather than SDDL.
I still think this might be the way to go. It isn't common to transfer
security descriptors as SDDL. Usually Windows and Samba just pass the
bytes back and forth.
Douglas
More information about the samba-technical
mailing list