Bug 6401 - Modification of nTSecurityDescriptor attribute removes owner and group
Summary: Modification of nTSecurityDescriptor attribute removes owner and group
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
Depends on:
Blocks: 6600
  Show dependency treegraph
Reported: 2009-05-24 15:41 UTC by Andrew Kroeger
Modified: 2009-11-26 04:48 UTC (History)
2 users (show)

See Also:

Capture of modify operation (164.80 KB, application/octet-stream)
2009-05-24 15:45 UTC, Andrew Kroeger
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Kroeger 2009-05-24 15:41:04 UTC
After enabling "Advanced Features" within ADUC, you can modify the permissions on an object using the Security tab under the object's Properties.  After modification of an object's security permissions, the object no longer has entries for the owner or group in the SDDL.

After creating an OU named "Test", the nTSecurityDescriptor atrtibute SDDL (via ldbedit) is:

nTSecurityDescriptor: O:S-1-5-21-897925077-3092286936-1868834081-500G:S-1-5-21

After granting Read privileges to Backup Operators on OU Test, the nTSecurityDescriptor atrtibute SDDL (via ldbedit) is now:

nTSecurityDescriptor: D:AR(A;;RPLCLORC;;;AU)(A;;RPLCRC;;;S-1-5-32-551)(A;;RPWP

Notice how the new SDDL contains DACL ACE's, but no owner or group.  Looking at the Owner tab in the Advanced security settings for Test shows "Unable to display current owner." as the current owner.
Comment 1 Andrew Kroeger 2009-05-24 15:45:19 UTC
Created attachment 4198 [details]
Capture of modify operation

The attached capture shows the modify request in frame 414.  Note that there is no data for owner SID, group SID, or SACL (no offsets to any of those contained in the NT Security Descriptor).
Comment 2 Andrew Kroeger 2009-05-24 16:52:11 UTC
After looking into this some more, it appears that security descriptor LDAP operations (add, modify, search) are controlled by an SD flags control (LDAP_SERVER_SD_FLAGS_OID).

See the following for details:

In frame 414 of the previously attached capture, the last 4 bits of the LDAP_SERVER_SD_FLAGS_OID controlValue (4) indicate that the modify request specifies the modify is for the DACL of the SD.
Comment 3 Matthias Dieter Wallnöfer 2009-08-01 13:42:26 UTC
Andrew Kroeger: did you consider to write a patch?
Comment 4 Matthias Dieter Wallnöfer 2009-09-25 05:47:06 UTC
Did the new LDB module (descriptor) change something here or solved the problem?
Comment 5 Matthieu Patou 2009-09-25 07:18:34 UTC
I don't know for andrew K, but for me it's the case even with a freshly provisioned samba !
Comment 6 Matthias Dieter Wallnöfer 2009-09-28 11:09:58 UTC
I also claim that the problem still persists (a quick test shows it). Hopefully someone skilled (like Nadezhda) wants to take this and write a fix.
Comment 7 Matthias Dieter Wallnöfer 2009-11-12 04:44:18 UTC
Are we any further here?
Comment 8 Nadezhda Ivanova 2009-11-12 05:05:19 UTC
Descriptor creation does not work on modify. I am working on this at the moment, should be fixed soon.
Comment 9 Nadezhda Ivanova 2009-11-20 05:39:05 UTC
I have added support for sd_flags control and fixed some major bugs on modify, so there is a very good chance this is fixed. Could someone try? I am not sure how to  reproduce it.
Comment 10 Matthias Dieter Wallnöfer 2009-11-26 04:48:33 UTC
Retested - it's fixed. Thank you very much, Nadya!