6401 – Modification of nTSecurityDescriptor attribute removes owner and group

Bug 6401 - Modification of nTSecurityDescriptor attribute removes owner and group

Summary: Modification of nTSecurityDescriptor attribute removes owner and group

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.0
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	unspecified
Hardware:	Other Linux

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	samba4-qa@samba.org

URL:
Keywords:

Depends on:
Blocks:	6600
	Show dependency tree / graph

Reported:	2009-05-24 15:41 UTC by Andrew Kroeger
Modified:	2009-11-26 04:48 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Capture of modify operation (164.80 KB, application/octet-stream) 2009-05-24 15:45 UTC, Andrew Kroeger	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Kroeger 2009-05-24 15:41:04 UTC

After enabling "Advanced Features" within ADUC, you can modify the permissions on an object using the Security tab under the object's Properties.  After modification of an object's security permissions, the object no longer has entries for the owner or group in the SDDL.

After creating an OU named "Test", the nTSecurityDescriptor atrtibute SDDL (via ldbedit) is:

nTSecurityDescriptor: O:S-1-5-21-897925077-3092286936-1868834081-500G:S-1-5-21
 -897925077-3092286936-1868834081-513D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;
 ;RPWPCRCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-897925077-3092286936-1868834081-512)(O
 A;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aba-0de6-11d0
 -a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA
 ;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(A;;RPLCLORC;;;AU)(A;;RPLCLOR
 C;;;ED)(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)

After granting Read privileges to Backup Operators on OU Test, the nTSecurityDescriptor atrtibute SDDL (via ldbedit) is now:

nTSecurityDescriptor: D:AR(A;;RPLCLORC;;;AU)(A;;RPLCRC;;;S-1-5-32-551)(A;;RPWP
 CRCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-897925077-3092286936-1868834081-512)(A;;RPL
 CLORC;;;ED)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(OA;;CCDC;4828cc14-1437-45bc-9
 b07-ad6f015e5f28;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;
 CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a86-0de6-11d0-a2
 85-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)

Notice how the new SDDL contains DACL ACE's, but no owner or group.  Looking at the Owner tab in the Advanced security settings for Test shows "Unable to display current owner." as the current owner.

Comment 1 Andrew Kroeger 2009-05-24 15:45:19 UTC

Created attachment 4198 [details]
Capture of modify operation

The attached capture shows the modify request in frame 414.  Note that there is no data for owner SID, group SID, or SACL (no offsets to any of those contained in the NT Security Descriptor).

Comment 2 Andrew Kroeger 2009-05-24 16:52:11 UTC

After looking into this some more, it appears that security descriptor LDAP operations (add, modify, search) are controlled by an SD flags control (LDAP_SERVER_SD_FLAGS_OID).

See the following for details:
http://msdn.microsoft.com/en-us/library/cc223733(PROT.10).aspx
http://msdn.microsoft.com/en-us/library/aa814227(VS.85).aspx

In frame 414 of the previously attached capture, the last 4 bits of the LDAP_SERVER_SD_FLAGS_OID controlValue (4) indicate that the modify request specifies the modify is for the DACL of the SD.

Comment 3 Matthias Dieter Wallnöfer 2009-08-01 13:42:26 UTC

Andrew Kroeger: did you consider to write a patch?

Comment 4 Matthias Dieter Wallnöfer 2009-09-25 05:47:06 UTC

Did the new LDB module (descriptor) change something here or solved the problem?

Comment 5 Matthieu Patou 2009-09-25 07:18:34 UTC

I don't know for andrew K, but for me it's the case even with a freshly provisioned samba !

Comment 6 Matthias Dieter Wallnöfer 2009-09-28 11:09:58 UTC

I also claim that the problem still persists (a quick test shows it). Hopefully someone skilled (like Nadezhda) wants to take this and write a fix.

Comment 7 Matthias Dieter Wallnöfer 2009-11-12 04:44:18 UTC

Are we any further here?

Comment 8 Nadezhda Ivanova 2009-11-12 05:05:19 UTC

Descriptor creation does not work on modify. I am working on this at the moment, should be fixed soon.

Comment 9 Nadezhda Ivanova 2009-11-20 05:39:05 UTC

I have added support for sd_flags control and fixed some major bugs on modify, so there is a very good chance this is fixed. Could someone try? I am not sure how to  reproduce it.

Comment 10 Matthias Dieter Wallnöfer 2009-11-26 04:48:33 UTC

Retested - it's fixed. Thank you very much, Nadya!