Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0000217 [LEX] Edit Function major always 2010-01-19 12:43 2010-01-25 19:47
Reporter nick View Status public  
Assigned To PhilippFoeckeler
Priority normal Resolution fixed  
Status resolved   Product Version 1.2.003
Summary 0000217: AD Permissions cannot be set if an object from another domain or namespace is in the ACL
Description AD Permissions cannot be set if an object from another domain or namespace is in the ACL

LEX just do nothing. If you look at a network trace (with unencrypted basic bind), you see that the server response is a Referral. I guess this is because LEX has an error while enumerating the SID from another namespace!
Additional Information
Tags No tags attached.
Attached Files

- Relationships

-  Notes
(0000031)
PhilippFoeckeler (administrator)
2010-01-24 12:39

There was the same issue reported by users which wanted to set permission owners from another domain or namespace.

It's a rather complicated problem, because we need to identify a valid global catalog to resolve all the SIDs - it's easy to find a GC if you are member in a domain, but it's not so easy if you just have a LDAP connection to a DC (but this is all what LEX might have - an LDAP connection to a DC without being member of the according domain/forest).

Another important problem which we didn't realize first is that although the nTSecurityDescriptor is one single attribute, it might be that you are only able to write parts of it:
- DACL (normal permissions)
- SACL (AuditSettings)
- Owner

So the next Version of LEX has to identify if the user maybe changed only one part of the whole object security, and then write the nTSecurityDescriptor back together with the LDAP xtended Control 1.2.840.113556.1.4.801 (SD_FLAGS)

http://msdn.microsoft.com/en-us/library/cc223323%28PROT.10%29.aspx [^]

This is hard work, but i'm already working on it for a week now, the GC issue is solved, and i have some ideas to qickly identify what SD Flags to pass for the LDAP modify operation.

- Issue History
Date Modified Username Field Change
2010-01-19 12:43 nick New Issue
2010-01-19 22:09 PhilippFoeckeler Target Version => 1.2.004
2010-01-19 22:09 PhilippFoeckeler Status new => assigned
2010-01-19 22:09 PhilippFoeckeler Assigned To => PhilippFoeckeler
2010-01-23 22:27 PhilippFoeckeler Description Updated
2010-01-23 22:27 PhilippFoeckeler Summary AD Permissions cannot be set if an obect from another domain or namespace is in the ACL => AD Permissions cannot be set if an object from another domain or namespace is in the ACL
2010-01-24 12:39 PhilippFoeckeler Note Added: 0000031
2010-01-25 19:46 PhilippFoeckeler Status assigned => resolved
2010-01-25 19:46 PhilippFoeckeler Fixed in Version => 1.2.004
2010-01-25 19:46 PhilippFoeckeler Resolution open => fixed


Mantis 1.1.8[^]
Copyright © 2000 - 2009 Mantis Group
Powered by Mantis Bugtracker