After enabling "Advanced Features" within ADUC, you can modify the permissions on an object using the Security tab under the object's Properties. After modification of an object's security permissions, the object no longer has entries for the owner or group in the SDDL. After creating an OU named "Test", the nTSecurityDescriptor atrtibute SDDL (via ldbedit) is: nTSecurityDescriptor: O:S-1-5-21-897925077-3092286936-1868834081-500G:S-1-5-21 -897925077-3092286936-1868834081-513D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A; ;RPWPCRCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-897925077-3092286936-1868834081-512)(O A;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0 -a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA ;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;RPLCLOR C;;;ED)(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO) After granting Read privileges to Backup Operators on OU Test, the nTSecurityDescriptor atrtibute SDDL (via ldbedit) is now: nTSecurityDescriptor: D:AR(A;;RPLCLORC;;;AU)(A;;RPLCRC;;;S-1-5-32-551)(A;;RPWP CRCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-897925077-3092286936-1868834081-512)(A;;RPL CLORC;;;ED)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(OA;;CCDC;4828cc14-1437-45bc-9 b07-ad6f015e5f28;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;; CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a86-0de6-11d0-a2 85-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO) Notice how the new SDDL contains DACL ACE's, but no owner or group. Looking at the Owner tab in the Advanced security settings for Test shows "Unable to display current owner." as the current owner.
Created attachment 4198 [details] Capture of modify operation The attached capture shows the modify request in frame 414. Note that there is no data for owner SID, group SID, or SACL (no offsets to any of those contained in the NT Security Descriptor).
After looking into this some more, it appears that security descriptor LDAP operations (add, modify, search) are controlled by an SD flags control (LDAP_SERVER_SD_FLAGS_OID). See the following for details: http://msdn.microsoft.com/en-us/library/cc223733(PROT.10).aspx http://msdn.microsoft.com/en-us/library/aa814227(VS.85).aspx In frame 414 of the previously attached capture, the last 4 bits of the LDAP_SERVER_SD_FLAGS_OID controlValue (4) indicate that the modify request specifies the modify is for the DACL of the SD.
Andrew Kroeger: did you consider to write a patch?
Did the new LDB module (descriptor) change something here or solved the problem?
I don't know for andrew K, but for me it's the case even with a freshly provisioned samba !
I also claim that the problem still persists (a quick test shows it). Hopefully someone skilled (like Nadezhda) wants to take this and write a fix.
Are we any further here?
Descriptor creation does not work on modify. I am working on this at the moment, should be fixed soon.
I have added support for sd_flags control and fixed some major bugs on modify, so there is a very good chance this is fixed. Could someone try? I am not sure how to reproduce it.
Retested - it's fixed. Thank you very much, Nadya!