Discussion:
ldap object access controls
William Brown via samba-technical
2018-04-18 05:47:17 UTC
Permalink
Hi,

I'm currently trying to understand the samba4/ad ldap object access
control for search and how to manipulate these.

Looking at various objects I can't seem to see where AD is storing the
ACE entries, even though you can "edit" them via ADSI and the like.

What attribute of the object are the ACE attributes stored in and how
can I modify these via the ldap interface? Any documentation or
references about this topic would be excellent,

Thank you!
Nadezhda Ivanova via samba-technical
2018-05-04 08:38:22 UTC
Permalink
Hi William,
Perhaps I don't understand your question, do you mean
nTSecurityDescriptor? To "see" it you need to be a domain admin or
provide SD_FLAGS_CONTROL in the request. Also, it's a binary blob. I
have forgotten if there is a samba tool to display the decoded
descriptors, there must be. Else some of the python test code can be
re-used.

Best Regards,
Nadya
Post by William Brown via samba-technical
Hi,
I'm currently trying to understand the samba4/ad ldap object access
control for search and how to manipulate these.
Looking at various objects I can't seem to see where AD is storing the
ACE entries, even though you can "edit" them via ADSI and the like.
What attribute of the object are the ACE attributes stored in and how
can I modify these via the ldap interface? Any documentation or
references about this topic would be excellent,
Thank you!
Rowland Penny via samba-technical
2018-05-04 09:09:21 UTC
Permalink
On Fri, 4 May 2018 11:38:22 +0300
Post by Nadezhda Ivanova via samba-technical
Hi William,
Perhaps I don't understand your question, do you mean
nTSecurityDescriptor? To "see" it you need to be a domain admin or
provide SD_FLAGS_CONTROL in the request. Also, it's a binary blob. I
have forgotten if there is a samba tool to display the decoded
descriptors, there must be. Else some of the python test code can be
re-used.
it is one of the hidden attributes, you need to explicitly ask for it

e.g.
ldbsearch -H ldap://dc4 -b 'dc=samdom,dc=example,dc=com' -s sub -U
rowland '(&(objectclass=user)(samaccountname=rowland))'
nTSecurityDescriptor

Rowland
Denis Cardon via samba-technical
2018-05-04 12:26:47 UTC
Permalink
Hi William,
Post by William Brown via samba-technical
I'm currently trying to understand the samba4/ad ldap object access
control for search and how to manipulate these.
Looking at various objects I can't seem to see where AD is storing the
ACE entries, even though you can "edit" them via ADSI and the like.
What attribute of the object are the ACE attributes stored in and how
can I modify these via the ldap interface? Any documentation or
references about this topic would be excellent,
I don't think it is advisable to directly edit the ntSecurityDescriptor
attributes. If you don't mind using some python, you can get some
inspiration from Andrew's mitigation script for CVE-2018-1057 mitigation
[1]. I used it as a basis for implementing some ACL handling at clients
recently.

Cheers,

Denis

[1] https://download.samba.org/pub/samba/misc/samba_CVE-2018-1057_helper
Post by William Brown via samba-technical
Thank you!
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr
Nadezhda Ivanova via samba-technical
2018-05-04 12:51:36 UTC
Permalink
Not to mention it's not very easy :). Even in the decoded form, you need
to know which SIDs mean which accounts, which GUIDs mean which property
sets or objects, and you need to be aware of the rules of ordering.
Information of nTSecurityDescriptor can be found in MS-ADTS (Somewhere
in section 5), and MS-DTYP. Scripts or tools are the way to go.
Post by Nadezhda Ivanova via samba-technical
Hi William,
I don't think it is advisable to directly edit the ntSecurityDescriptor
attributes. If you don't mind using some python, you can get some
inspiration from Andrew's mitigation script for CVE-2018-1057 mitigation
[1]. I used it as a basis for implementing some ACL handling at clients
recently.
Cheers,
Denis
[1] https://download.samba.org/pub/samba/misc/samba_CVE-2018-1057_helper
Post by William Brown via samba-technical
Thank you!
William Brown via samba-technical
2018-05-07 00:33:02 UTC
Permalink
Post by Nadezhda Ivanova via samba-technical
Hi William,
Post by William Brown via samba-technical
I'm currently trying to understand the samba4/ad ldap object access
control for search and how to manipulate these.
Looking at various objects I can't seem to see where AD is storing the
ACE entries, even though you can "edit" them via ADSI and the like.
What attribute of the object are the ACE attributes stored in and how
can I modify these via the ldap interface? Any documentation or
references about this topic would be excellent,
I don't think it is advisable to directly edit the
ntSecurityDescriptor
attributes. If you don't mind using some python, you can get some
inspiration from Andrew's mitigation script for CVE-2018-1057
mitigation
[1]. I used it as a basis for implementing some ACL handling at clients
recently.
Hey mate,

I've already submitted a patch in another thread for modifiying these
as part of the dsacl command,

Thank you!
Post by Nadezhda Ivanova via samba-technical
Cheers,
Denis
[1] https://download.samba.org/pub/samba/misc/samba_CVE-2018-1057_hel
per
Post by William Brown via samba-technical
Thank you!
Loading...