From 1f3904d393f08639a5fdeef71c666758096998f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Kr=C3=A4mer?= <mk.maddin@gmail.com>
Date: Wed, 9 Jan 2019 13:17:02 +0000
Subject: [PATCH 1/2] Currently it is possible to add the same ace multiple
 times if the case sensitivity does not match the existing one using "--sddl"
 parameter. As an example while an ace
 "OA;CIIO;RPWP;3e978925-8c01-11d0-afda-00c04fd930c9;bf967a86-0de6-11d0-a285-00aa003049e2;PS"
 already exists a sddl
 "OA;CIIO;RPWP;3E978925-8C01-11D0-AFDA-00C04FD930C9;BF967A86-0DE6-11D0-A285-00AA003049E2;PS"
 can be added without detection (and can be added multiple times). As an end
 result after a high number of addings (in my tests it was about 1600-1800
 aces for one object) no further changes on that object are possible.

---
 python/samba/netcmd/dsacl.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/samba/netcmd/dsacl.py b/python/samba/netcmd/dsacl.py
index 3295db3b76a..176d14d1a4d 100644
--- a/python/samba/netcmd/dsacl.py
+++ b/python/samba/netcmd/dsacl.py
@@ -119,7 +119,7 @@ class cmd_dsacl_set(Command):
         for ace in desc_aces:
             if ("ID" in ace):
                 desc_sddl = desc_sddl.replace(ace, "")
-        if new_ace in desc_sddl:
+        if new_ace.lower() in desc_sddl.lower():
             return
         if desc_sddl.find("(") >= 0:
             desc_sddl = desc_sddl[:desc_sddl.index("(")] + new_ace + desc_sddl[desc_sddl.index("("):]
-- 
GitLab


From bd17f84367bae37ab4ca8eff4c1d4beee266af92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Kr=C3=A4mer?= <mk.maddin@gmail.com>
Date: Tue, 22 Jan 2019 17:57:07 +0000
Subject: [PATCH 2/2] Update python/samba/netcmd/dsacl.py

---
 python/samba/netcmd/dsacl.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/python/samba/netcmd/dsacl.py b/python/samba/netcmd/dsacl.py
index 176d14d1a4d..ab2b294503f 100644
--- a/python/samba/netcmd/dsacl.py
+++ b/python/samba/netcmd/dsacl.py
@@ -114,12 +114,14 @@ class cmd_dsacl_set(Command):
         """Add new ace explicitly."""
         desc = self.read_descriptor(samdb, object_dn)
         desc_sddl = desc.as_sddl(self.get_domain_sid(samdb))
+        new_ace = security.descriptor.from_sddl("D:" + new_ace,self.get_domain_sid(samdb))
+        new_ace = re.findone("\(.*?\)",new_ace.as_sddl())
         # TODO add bindings for descriptor manipulation and get rid of this
         desc_aces = re.findall("\(.*?\)", desc_sddl)
         for ace in desc_aces:
             if ("ID" in ace):
                 desc_sddl = desc_sddl.replace(ace, "")
-        if new_ace.lower() in desc_sddl.lower():
+        if new_ace in desc_sddl:
             return
         if desc_sddl.find("(") >= 0:
             desc_sddl = desc_sddl[:desc_sddl.index("(")] + new_ace + desc_sddl[desc_sddl.index("("):]
-- 
GitLab