The branch, v4-22-test has been updated
via 65494ee1223 mdssvc: support a few more attributes
via e951675239b ndr: fix coda logic around in ndr_pull_security_ace()
via c10e71fb004 pytest: add ndr packing tests for security descriptors
via b9c08aec94a docs: Update documentation for 'sync machine password
to keytab'
via cb50befaa21 s3:libads: Remove specifier for 'host' principal from
'sync machine password to keytab'
via 5b5862dc690 docs-xml:smbdotconf: Document new options for 'sync
machinepassword to keytab'
via 43059189596 s3: Add new keytab specifiers
via f57b2dacb5d vfs_ceph_new:minor logging improvement
from 1bb846f8344 VERSION: Bump version up to Samba 4.22.0rc3...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-22-test
- Log -----------------------------------------------------------------
commit 65494ee1223072df2475f3970a15251e5dd6935b
Author: Ralph Boehme <[email protected]>
Date: Wed Jan 29 15:11:16 2025 +0100
mdssvc: support a few more attributes
This adds support for the following Spotlight Metadata Attributes:
_kMDItemFileName (another alias for kMDItemFSName and kMDItemDisplayName)
kMDItemLastUsedDate
kMDItemContentCreationDate
kMDItemLogicalSize (another alias for kMDItemFSSize)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15796
Signed-off-by: Ralph Boehme <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
(cherry picked from commit 0ba1a8d77694182058d1c01b54a8759bdf0e28a6)
Autobuild-User(v4-22-test): Jule Anger <[email protected]>
Autobuild-Date(v4-22-test): Mon Feb 17 17:21:35 UTC 2025 on atb-devel-224
commit e951675239b6c0071eaf34635ca2beac4d1a5c18
Author: Douglas Bagnall <[email protected]>
Date: Thu Jan 9 16:14:05 2025 +1300
ndr: fix coda logic around in ndr_pull_security_ace()
Sometimes an access allowed object ACE has unneeded trailing bytes,
like this:
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0048 (72)
access_mask : 0x00000100 (256)
object : union
security_ace_object_ctr(case 1)
object: struct security_ace_object
flags : 0x00000001 (1)
1: SEC_ACE_OBJECT_TYPE_PRESENT
0:
SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
type : union
security_ace_object_type(case 1)
type :
edacfd8f-ffb3-11d1-b41d-00a0c968f939
inherited_type : union
security_ace_object_inherited_type(case 0)
trustee : S-1-3-0
coda : union
security_ace_coda(case 5)
ignored : DATA_BLOB length=32
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
........
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
........
which we need to pull in order to ignore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15738
Signed-off-by: Douglas Bagnall <[email protected]>
Reviewed-by: Volker Lendecke <[email protected]>
Autobuild-User(master): Volker Lendecke <[email protected]>
Autobuild-Date(master): Thu Feb 13 15:15:40 UTC 2025 on atb-devel-224
(cherry picked from commit 67b09b481b06080d3f46878d60095f188ff18fb8)
[bugzilla link added in backport]
commit c10e71fb00479e0f7fe0933d98b9ce50e720270a
Author: Douglas Bagnall <[email protected]>
Date: Wed Feb 12 15:29:28 2025 +1300
pytest: add ndr packing tests for security descriptors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15738
Signed-off-by: Douglas Bagnall <[email protected]>
Reviewed-by: Volker Lendecke <[email protected]>
(cherry picked from commit 455a0558c89312061f3b9ccaa577a4a60df7ee77)
[bugzilla link added in backport]
commit b9c08aec94a6bf41fd7fe7f810349b3c243542ba
Author: Pavel Filipenský <[email protected]>
Date: Fri Feb 14 17:27:26 2025 +0100
docs: Update documentation for 'sync machine password to keytab'
Use specifier 'spn_prefixes=host' instead of 'host'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Autobuild-User(master): Pavel Filipensky <[email protected]>
Autobuild-Date(master): Sat Feb 15 19:21:56 UTC 2025 on atb-devel-224
(cherry picked from commit 7cae7aad1ca6dcd5e0a3a102f36af74fa49a2c2b)
commit cb50befaa2107882fb465f7770038246e31d82d4
Author: Pavel Filipenský <[email protected]>
Date: Fri Feb 14 17:28:54 2025 +0100
s3:libads: Remove specifier for 'host' principal from 'sync machine
password to keytab'
Use specifier 'spn_prefixes=host' instead of 'host'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
(cherry picked from commit ccc3b2b2fba7b5d223c79bffc0f655490aed19cf)
commit 5b5862dc690ad0d546f8b11d21e231f556475e05
Author: Pavel Filipenský <[email protected]>
Date: Tue Jan 14 11:29:54 2025 +0100
docs-xml:smbdotconf: Document new options for 'sync machinepassword to
keytab'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
Autobuild-User(master): Pavel Filipensky <[email protected]>
Autobuild-Date(master): Thu Feb 13 18:45:21 UTC 2025 on atb-devel-224
(cherry picked from commit 7a662e097be5e0d3f7779fa544486968b8f57063)
commit 430591895969d092256de295dd095c530272cf88
Author: Pavel Filipenský <[email protected]>
Date: Mon Jan 20 16:00:51 2025 +0100
s3: Add new keytab specifiers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
(cherry picked from commit 15e191736d3eaba83b2fb4b901e1df2214526b64)
commit f57b2dacb5d751606fa26d7200a536090feebce8
Author: Shweta Sodani <[email protected]>
Date: Wed Feb 5 11:21:37 2025 +0530
vfs_ceph_new:minor logging improvement
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15703
Signed-off-by: Shweta Sodani <[email protected]>
Reviewed-by: Anoop C S <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Autobuild-User(master): Günther Deschner <[email protected]>
Autobuild-Date(master): Fri Feb 14 10:57:50 UTC 2025 on atb-devel-224
(cherry picked from commit 6430e0a9fb7e9c368a3170f9cddd688a49aedb23)
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/net.8.xml | 24 +-
.../security/syncmachinepasswordtokeytab.xml | 41 +-
librpc/ndr/ndr_sec_helper.c | 5 +-
python/samba/tests/ndr/sd.py | 623 ++++++++++++++++++++
selftest/target/Samba3.pm | 7 +-
selftest/tests.py | 1 +
source3/libads/kerberos_keytab.c | 626 +++++++++++++--------
source3/modules/vfs_ceph_new.c | 137 +++--
source3/rpc_server/mdssvc/mdssvc.c | 23 +-
source3/script/tests/test_update_keytab.sh | 401 +++++++++----
10 files changed, 1439 insertions(+), 449 deletions(-)
create mode 100644 python/samba/tests/ndr/sd.py
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index ca34d322512..05191236ecc 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1549,29 +1549,25 @@ to show in the result.
<para>
Since Samba 4.21.0, keytab file is created as specified in <smbconfoption
-name="sync machine password to keytab"/>. The keytab is created only for
+name="sync machine password to keytab"/> . The keytab can be created only when
+machine password is available in secrets.tdb, i.e. only for
<smbconfoption name="kerberos method">secrets only</smbconfoption> and
<smbconfoption name="kerberos method">secrets and keytab</smbconfoption>. With
the smb.conf default values for <smbconfoption name="kerberos method"> secrets
only</smbconfoption> and <smbconfoption name="sync machine password to
keytab"/>
(default is empty) the keytab is not generated at all. Keytab with a default
-name and SPNs synced from AD is created for <smbconfoption name="kerberos
-method">secrets and keytab</smbconfoption> if <smbconfoption name="sync machine
-password to keytab"/> is missing.
+name containing: SPNs synced from AD, account name COMPUTER$ and principal
+host/dns_hostname is created for <smbconfoption name="kerberos method">secrets
+and keytab</smbconfoption> if <smbconfoption name="sync machine password to
+keytab"/> is missing.
</para>
<para>
-Till Samba 4.20.0, two more entries were created by default: the machinename of
-the client (ending with '$') and the UPN (host/domain@REALM). If these two
-entries are still needed, each must be specified in an own keytab file.
-Example below will generate three keytab files that contain SPNs synced from
-AD, host UPN and machine$ SPN:
+Till Samba 4.20, these entries were created by default: the account name
+COMPUTER$, 'host' principal and SPNs synced from AD. Example below generates
+such keytab:
</para>
<programlisting>
-<smbconfoption name="sync machine password to keytab">
-/etc/krb5.keytab0:sync_spns:machine_password,
-/etc/krb5.keytab1:spns=host/[email protected]:machine_password,
-/etc/krb5.keytab2:account_name:machine_password
-</smbconfoption>
+<smbconfoption name="sync machine password to
keytab">/etc/krb5.keytab:spn_prefixes=host:account_name:sync_spns:sync_kvno:machine_password</smbconfoption>
</programlisting>
<para>
No changes are made to the computer AD account.
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
index f7dc30023d4..ec3fffc1119 100644
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
@@ -24,36 +24,48 @@ synchronization.
Each string has this form:
<programlisting>
-absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
+absolute_path_to_keytab:spn_spec[:spn_spec]*[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
</programlisting>
-where spn_spec can have exactly one of these four forms:
+spn_spec can be specified multiple times (separated using ':') and each
spn_spec can have exactly one of these forms:
<programlisting>
account_name
+sync_account_name
+sync_upn
sync_spns
spn_prefixes=value1[,value2[...]]
spns=value1[,value2[...]]
</programlisting>
-No other combinations are allowed.
</para>
<para>
-Specifiers:
+Every keytab contains principals according the specification below:
<programlisting>
-account_name - creates entry using principal 'computer$@REALM'.
-sync_spns - uses principals received from AD DC.
-spn_prefixes - creates principals from the prefixes and adds netbios_aliases
or additional_dns_hostnames if specified.
-spns - creates only the principals defined in the list.
+account_name - COMPUTER$@REALM
+sync_account_name - uses attribute "sAMAccountName" from AD
+sync_upn - uses attribute "userPrincipalName" (if exists in AD)
+sync_spns - uses attribute "servicePrincipalName" (if exists in AD)
+spn_prefixes - creates these two principals from each prefix. e.g.:
+ prefix/<smbconfoption name="netbios name"/>@REALM
+ prefix/<smbconfoption name="dns hostname"/>@REALM
+ with :netbios_aliases for each netbiosalias in
<smbconfoption name="netbios aliases"/>
+ prefix/netbiosalias@REALM
+ prefix/netbiosalias.dnsdomain@REALM
+ with :additional_dns_hostnames for each
additionaldnshostname in <smbconfoption name="additional dns hostnames"/>
+ prefix/additionaldnshostname@REALM
+ - 'host' principal should be created using specifier
spn_prefixes
+spns - creates only the principals defined in the list
</programlisting>
+'account_name' and 'sync_account_name' are the same, just the source differs
(secrets.tdb vs. AD).
</para>
<para>
Options:
<programlisting>
-sync_etypes - parameter "msDS-SupportedEncryptionTypes" is read
from DC and is used to find the highest common enc type for AD and KRB5 lib.
-sync_kvno - the key version number ("msDS-KeyVersionNumber") is
synchronized from DC, otherwise is set to -1.
-netbios_aliases - evaluated only for SPN_SPEC_PREFIX. If present,
PREFIX/netbiosname@REALM and PREFIX/netbiosname.domainname@REALM are added for
each alias. See <smbconfoption name="netbios aliases"/>
-additional_dns_hostnames - evaluated only for SPN_SPEC_PREFIX. If present,
PREFIX/dnshostname@REALM is added for each dns name. See <smbconfoption
name="additional dns hostnames"/>
+sync_etypes - attribute "msDS-SupportedEncryptionTypes" is read
from AD and is used to find the highest common enc type for AD and KRB5 lib.
+sync_kvno - attribute "msDS-KeyVersionNumber" from AD is used
to set KVNO. If this option is missing, KVNO is set to -1.
+netbios_aliases - evaluated only for spn_prefixes (see details above).
+additional_dns_hostnames - evaluated only for spn_prefixes (see details above).
machine_password - mandatory, if missing the entry is ignored. For
future use.
</programlisting>
</para>
@@ -68,7 +80,8 @@ Example:
"/path/to/keytab4:spn_prefixes=imap,smtp:machine_password",
"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password",
"/path/to/keytab6:spns=wurst/brot@REALM:machine_password",
-"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password"
+"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password",
+"/path/to/keytab8:sync_account_name:sync_upn:sync_spns:spn_prefixes=host,cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password"
</programlisting>
If sync_etypes or sync_kvno or sync_spns is present then winbind connects to
DC. For "offline domain join" it might be useful not to use these options.
</para>
@@ -80,7 +93,7 @@ If no value is present and <smbconfoption name="kerberos
method"/> is different
<itemizedlist>
<listitem>
<para><userinput>winbind</userinput> uses value
-
<programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
+
<programlisting>/path/to/keytab:host:account_name:sync_spns:sync_kvno:machine_password</programlisting>
where the path to the keytab is obtained either from the
krb5 library or from
<smbconfoption name="dedicated keytab file"/>.
</para>
diff --git a/librpc/ndr/ndr_sec_helper.c b/librpc/ndr/ndr_sec_helper.c
index 7f95f1423d7..55e373cfdac 100644
--- a/librpc/ndr/ndr_sec_helper.c
+++ b/librpc/ndr/ndr_sec_helper.c
@@ -104,6 +104,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct
ndr_pull *ndr, ndr_flags
{
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
if (ndr_flags & NDR_SCALARS) {
+ ssize_t sub_size;
NDR_CHECK(ndr_pull_align(ndr, 5));
NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS,
&r->type));
NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS,
&r->flags));
@@ -111,12 +112,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct
ndr_pull *ndr, ndr_flags
NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->access_mask));
NDR_CHECK(ndr_maybe_pull_security_ace_object_ctr(ndr,
NDR_SCALARS, r));
NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->trustee));
- if (!sec_ace_has_extra_blob(r->type)) {
+ sub_size = ndr_subcontext_size_of_ace_coda(r, r->size,
ndr->flags);
+ if (sub_size == 0 && !sec_ace_has_extra_blob(r->type)) {
r->coda.ignored.data = NULL;
r->coda.ignored.length = 0;
} else {
struct ndr_pull *_ndr_coda;
- ssize_t sub_size = ndr_subcontext_size_of_ace_coda(r,
r->size, ndr->flags);
NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_coda, 0,
sub_size));
NDR_CHECK(ndr_pull_set_switch_value(_ndr_coda,
&r->coda, r->type));
NDR_CHECK(ndr_pull_security_ace_coda(_ndr_coda,
NDR_SCALARS|NDR_BUFFERS, &r->coda));
diff --git a/python/samba/tests/ndr/sd.py b/python/samba/tests/ndr/sd.py
new file mode 100644
index 00000000000..b72327421b0
--- /dev/null
+++ b/python/samba/tests/ndr/sd.py
@@ -0,0 +1,623 @@
+# Unix SMB/CIFS implementation.
+# Copyright © Douglas Bagnall <[email protected]> 2025
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import samba
+from samba.tests import TestCase, DynamicTestCase
+from samba.ndr import ndr_pack, ndr_unpack
+from samba.dcerpc import security
+
+
+class BaseSDTestCase(TestCase):
+ maxDiff = 10000
+ _cases = {
+ # subclasses should have a mapping of test names to binhex
+ # strings, as readable by bytes.fromhex().
+ #
+ # note, in Python 3.7+ that means hex pairs separated by any
+ # amount of whitespace, but in Python 3.6 it means any number
+ # of spaces. For example;
+ #
+ # 'ok_in_36': ("01 0203 04 05"
+ # " 06"),
+ # 'ok_in_37': """
+ # 01 02\t03
+ # 04
+ # 05 06"""
+ }
+
+ @classmethod
+ def setUpDynamicTestCases(cls):
+ for k, v in cls._cases.items():
+ cls.generate_dynamic_test('test_sd', k, v)
+
+ def _test_sd_with_args(self, v):
+ packed = bytes.fromhex(v)
+ try:
+ sd = ndr_unpack(security.descriptor, packed)
+ except (TypeError, ValueError, RuntimeError) as e:
+ self.fail(f"raised {e}")
+ try:
+ repack = ndr_pack(sd)
+ except (TypeError, ValueError) as e:
+ self.fail(f"raised {e}")
+
+ sd2 = ndr_unpack(security.descriptor, repack)
+ self.assertEqual(sd, sd2)
+
+
+@DynamicTestCase
+class SDTestCase(BaseSDTestCase):
+ _cases = {
+ "sd_01": (
+ # this one is manually annotated, but not because it is
+ # especially interesting.
+ "01 " # version
+ "00 " #
+ "17 8c " # control: SR,RM,PS,SI,SD,SP,DP
+ "14 00 00 00 " # owner offset (20)
+ "30 00 00 00 " # group offset (48)
+ "4c 00 00 00 " # sacl offset (76)
+ "c4 00 00 00 " # dacl offset (196)
+ "01 05 " # S-1- (5 sub auths)
+ "00 00 00 00 00 05 " # 5-
+ "15 00 00 00 " # 21-
+ "51 d7 cf 86 "
+ "f9 1b ef 93 "
+ "c3 53 ea 70 "
+ "00 02 00 00 "
+ "01 05 " # group: S-1-5-21-b-c-d-e
+ "00 00 00 00 00 05 "
+ "15 00 00 00 "
+ "51 d7 cf 86 "
+ "f9 1b ef 93 "
+ "c3 53 ea 70 "
+ "00 02 00 00 "
+ # SACL
+ "04 00 " # sacl v4
+ "78 00 " # sacl size (92)
+ "02 00 " # ace count (2)
+ "00 00 "
+ "07 " # sacl ACE, SYSTEM_AUDIT_OBJECT_ACE_TYPE
+ "5a " # flags
+ "38 00 " # ace size
+ "20 00 00 00 " # mask
+ "03 00 00 00 " # flags
+ "be 3b 0e f3 f0 9f d1 11 " # object type GUID
+ "b6 03 00 00 f8 03 67 c1 "
+ "a5 7a 96 bf e6 0d d0 11 " # inherited type GUID
+ "a2 85 00 aa 00 30 49 e2 "
+ "01 01 " # S-1- (1 subauth)
+ "00 00 00 00 00 01 " # 1-
+ "00 00 00 00 " # 0
+ "07 " # sacl ACE, SYSTEM_AUDIT_OBJECT_ACE_TYPE
+ "5a " # flags
+ "38 00 " # size
+ "20 00 00 00 " # mask
+ "03 00 00 00 " #flags
+ "bf 3b 0e f3 f0 9f d1 11 " # objct GUID
+ "b6 03 00 00 f8 03 67 c1 "
+ "a5 7a 96 bf e6 0d d0 11 " # inherited GUID
+ "a2 85 00 aa 00 30 49 e2 "
+ "01 01 " # S-1- (1 subauth)
+ "00 00 00 00 00 01 " # 1-
+ "00 00 00 00 " # 0
+ # DACL
+ "04 00 " # dacl v4
+ "10 02 " # dacl size (528)
+ "0d 00 " # 13 aces
+ "00 00 "
+ "00 " # ACCESS_ALLOWED_ACE_TYPE
+ "00 " # flags
+ "24 00 " # size
+ "ff 01 0f 00 " # mask
+ "01 05 " # S-1- (5 subauth)
+ "00 00 00 00 00 05 " # 5-
+ "15 00 00 00 " # 21-
+ "51 d7 cf 86 "
+ "f9 1b ef 93 "
+ "c3 53 ea 70 "
+ "00 02 00 00 "
+ "00 " # ACCESS_ALLOWED_ACE_TYPE
+ "00 "
+ "14 00 "
+ "ff 01 0f 00 "
+ "01 01 " # S-1-5-18
+ "00 00 00 00 00 05 "
+ "12 00 00 00 "
+ "00 " # ACCESS_ALLOWED_ACE_TYPE
+ "00 "
+ "14 00 "
+ "94 00 02 00 "
+ "01 01 " # S-1-5-11
+ "00 00 00 00 00 05 "
+ "0b 00 00 00 "
+ "00 " # ACCESS_ALLOWED_ACE_TYPE
+ "12 " # flags
+ "24 00 "
+ "ff 01 0f 00 "
+ "01 05 " # S-1-5-a-b-c-d-e
+ "00 00 00 00 00 05 "
+ "15 00 00 00 "
+ "51 d7 cf 86 "
+ "f9 1b ef 93 "
+ "c3 53 ea 70 "
+ "07 02 00 00 "
+ "00 " # ACCESS_ALLOWED_ACE_TYPE
+ "12 " # flags
+ "18 00 "
+ "bd 01 0f 00 "
+ "01 02 " # S-1-5-32-544
+ "00 00 00 00 00 05 "
+ "20 00 00 00 "
+ "20 02 00 00 "
+ "00 " # ACCESS_ALLOWED_ACE_TYPE
+ "12 " # flags
+ "18 00 "
+ "04 00 00 00 "
+ "01 02 " # S-1-5-32-554
+ "00 00 00 00 00 05 "
+ "20 00 00 00 "
+ "2a 02 00 00 "
+ "05 " # ACCESS_ALLOWED_OBJECT_ACE_TYPE
+ "1a "
+ "38 00 " # size 56
+ "08 00 00 00 " # mask
+ "03 00 00 00 " # flags: object and inherited present
+ "a6 6d 02 9b 3c 0d 5c 46 " # object GUID
+ "8b ee 51 99 d7 16 5c ba "
+ "86 7a 96 bf e6 0d d0 11 " # inherited GUID
+ "a2 85 00 aa 00 30 49 e2 "
+ "01 01 " # S-1-3-0
+ "00 00 00 00 00 03 "
+ "00 00 00 00 "
+ "05 " # ACCESS_ALLOWED_OBJECT_ACE_TYPE
+ "12 "
+ "28 00 " # size 40
+ "30 00 00 00 " # mask
+ "01 00 00 00 " # flags: object present
+ "e5 c3 78 3f 9a f7 bd 46 " # object GUID
+ "a0 b8 9d 18 11 6d dc 79 "
+ "01 01 " # S-1-5-10
+ "00 00 00 00 00 05 "
+ "0a 00 00 00 "
+ "05 "
+ "12 "
+ "28 00 "
+ "30 01 00 00 "
+ "01 00 00 00 " # flags: object present
+ "de 47 e6 91 6f d9 70 4b " # object GUID
+ "95 57 d6 3f f4 f3 cc d8 "
+ "01 01 " # S-1-5-10
+ "00 00 00 00 00 05 "
+ "0a 00 00 00 "
+ "05 "
+ "1a "
+ "38 00 " # size 56
+ "08 00 00 00 "
+ "03 00 00 00 " # flags both present
+ "a6 6d 02 9b 3c 0d 5c 46 "
+ "8b ee 51 99 d7 16 5c ba "
+ "86 7a 96 bf e6 0d d0 11 "
+ "a2 85 00 aa 00 30 49 e2 "
+ "01 01 " # S-1-5-10
+ "00 00 00 00 00 05 "
+ "0a 00 00 00 "
+ "05 "
+ "1a "
+ "38 00 " # size 56
+ "20 00 00 00 "
+ "03 00 00 00 "
+ "93 7b 1b ea 48 5e d5 46 "
+ "bc 6c 4d f4 fd a7 8a 35 "
+ "86 7a 96 bf e6 0d d0 11 "
+ "a2 85 00 aa 00 30 49 e2 "
+ "01 01 " # S-1-5-10
+ "00 00 00 00 00 05 "
+ "0a 00 00 00 "
+ "05 "
+ "12 "
+ "38 00 " # size 56
+ "30 00 00 00 "
+ "01 00 00 00 " # only object GUI present
+ "0f d6 47 5b 90 60 b2 40 "
+ "9f 37 2a 4d e8 8f 30 63 "
+ "01 05 " # S-1-5-21-b-c-d-e
+ "00 00 00 00 00 05 "
+ "15 00 00 00 "
+ "51 d7 cf 86 "
+ "f9 1b ef 93 "
+ "c3 53 ea 70 "
+ "0e 02 00 00 "
+ "05 "
+ "12 "
+ "38 00 " # size 56
+ "30 00 00 00 "
+ "01 00 00 00 "
+ "0f d6 47 5b 90 60 b2 40 "
+ "9f 37 2a 4d e8 8f 30 63 "
+ "01 05 " # S-1-5-21-b-c-d-e
+ "00 00 00 00 00 05 "
+ "15 00 00 00 "
+ "51 d7 cf 86 "
+ "f9 1b ef 93 "
+ "c3 53 ea 70 "
+ "0f 02 00 00"
+ ),
+ "sd_02": (
+ "01 00 17 99 14 00 00 00 30 00 00 00 4c 00 00 00 "
+ "c4 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 "
+ "51 d7 cf 86 f9 1b ef 93 c3 53 ea 70 00 02 00 00 "
+ "01 05 00 00 00 00 00 05 15 00 00 00 51 d7 cf 86 "
+ "f9 1b ef 93 c3 53 ea 70 00 02 00 00 04 00 78 00 "
+ "02 00 00 00 07 5a 38 00 20 00 00 00 03 00 00 00 "
+ "be 3b 0e f3 f0 9f d1 11 b6 03 00 00 f8 03 67 c1 "
+ "a5 7a 96 bf e6 0d d0 11 a2 85 00 aa 00 30 49 e2 "
+ "01 01 00 00 00 00 00 01 00 00 00 00 07 5a 38 00 "
+ "20 00 00 00 03 00 00 00 bf 3b 0e f3 f0 9f d1 11 "
+ "b6 03 00 00 f8 03 67 c1 a5 7a 96 bf e6 0d d0 11 "
+ "a2 85 00 aa 00 30 49 e2 01 01 00 00 00 00 00 01 "
+ "00 00 00 00 04 00 60 01 0a 00 00 00 00 0a 14 00 "
+ "ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 "
+ "00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 "
+ "0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 "
+ "00 00 00 05 12 00 00 00 00 02 24 00 ff 00 0f 00 "
+ "01 05 00 00 00 00 00 05 15 00 00 00 51 d7 cf 86 "
+ "f9 1b ef 93 c3 53 ea 70 00 02 00 00 00 02 24 00 "
+ "ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 "
+ "51 d7 cf 86 f9 1b ef 93 c3 53 ea 70 07 02 00 00 "
+ "00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 "
+ "09 00 00 00 05 00 38 00 00 01 00 00 01 00 00 00 "
+ "8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 "
+ "01 05 00 00 00 00 00 05 15 00 00 00 51 d7 cf 86 "
+ "f9 1b ef 93 c3 53 ea 70 00 02 00 00 05 02 28 00 "
+ "00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 "
+ "b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 "
+ "0b 00 00 00 05 00 28 00 00 01 00 00 01 00 00 00 "
+ "8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 "
+ "01 01 00 00 00 00 00 05 12 00 00 00 05 00 38 00 "
+ "00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 "
+ "b4 1d 00 a0 c9 68 f9 39 01 05 00 00 00 00 00 05 "
+ "15 00 00 00 51 d7 cf 86 f9 1b ef 93 c3 53 ea 70 "
+ "07 02 00 00"
+ ),
+ "sd_03": (
+ "01 00 17 8c 14 00 00 00 30 00 00 00 4c 00 00 00 "
+ "c4 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 "
+ "51 d7 cf 86 f9 1b ef 93 c3 53 ea 70 00 02 00 00 "
+ "01 05 00 00 00 00 00 05 15 00 00 00 51 d7 cf 86 "
+ "f9 1b ef 93 c3 53 ea 70 00 02 00 00 04 00 78 00 "
+ "02 00 00 00 07 5a 38 00 20 00 00 00 03 00 00 00 "
+ "be 3b 0e f3 f0 9f d1 11 b6 03 00 00 f8 03 67 c1 "
+ "a5 7a 96 bf e6 0d d0 11 a2 85 00 aa 00 30 49 e2 "
+ "01 01 00 00 00 00 00 01 00 00 00 00 07 5a 38 00 "
+ "20 00 00 00 03 00 00 00 bf 3b 0e f3 f0 9f d1 11 "
+ "b6 03 00 00 f8 03 67 c1 a5 7a 96 bf e6 0d d0 11 "
+ "a2 85 00 aa 00 30 49 e2 01 01 00 00 00 00 00 01 "
+ "00 00 00 00 04 00 38 01 0b 00 00 00 00 00 24 00 "
+ "ff 01 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 "
+ "51 d7 cf 86 f9 1b ef 93 c3 53 ea 70 00 02 00 00 "
+ "00 00 14 00 ff 01 0f 00 01 01 00 00 00 00 00 05 "
+ "12 00 00 00 00 00 14 00 94 00 02 00 01 01 00 00 "
+ "00 00 00 05 0b 00 00 00 00 10 24 00 ff 00 0f 00 "
+ "01 05 00 00 00 00 00 05 15 00 00 00 51 d7 cf 86 "
+ "f9 1b ef 93 c3 53 ea 70 00 02 00 00 00 1a 14 00 "
+ "ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 "
+ "00 12 14 00 94 00 02 00 01 01 00 00 00 00 00 05 "
+ "0b 00 00 00 00 12 14 00 ff 00 0f 00 01 01 00 00 "
+ "00 00 00 05 12 00 00 00 00 12 24 00 ff 00 0f 00 "
+ "01 05 00 00 00 00 00 05 15 00 00 00 51 d7 cf 86 "
+ "f9 1b ef 93 c3 53 ea 70 00 02 00 00 00 12 24 00 "
+ "ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 "
+ "51 d7 cf 86 f9 1b ef 93 c3 53 ea 70 07 02 00 00 "
+ "00 12 14 00 94 00 02 00 01 01 00 00 00 00 00 05 "
+ "09 00 00 00 05 12 28 00 00 01 00 00 01 00 00 00 "
+ "8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 "
+ "01 01 00 00 00 00 00 05 0b 00 00 00"
+ ),
+ "sd_04_object_ace_with_trailing_zeros": (
+ "01 00 04 91 00 00 00 00 00 00 00 00 00 00 00 00 "
+ "14 00 00 00 04 00 d0 01 0a 00 00 00 00 0a 14 00 "
+ "ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00 "
+ "00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 "
+ "0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 "
+ "00 00 00 05 12 00 00 00 00 02 24 00 ff 00 0f 00 "
+ "01 05 00 00 00 00 00 05 15 00 00 00 51 d7 cf 86 "
+ "f9 1b ef 93 c3 53 ea 70 00 02 00 00 00 02 24 00 "
+ "ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 "
--
Samba Shared Repository
