s3/utils: when encoding ace string use "FA", "FR", "FW", "FX" string rights

prior to this patch rights matching "FA", "FR", "FW", "FX" were
outputted as the hex string representing the bit value.

While outputting the hex string is perfectly fine, it makes it harder
to compare icacls output (which always uses the special string values)

Additionally adjust various tests to deal with use of shortcut access masks
as sddl format now uses FA, FR, FW & FX strings (like icalcs does) instead
of hex representation of the bit mask.

adjust
  samba4.blackbox.samba-tool_ntacl
  samba3.blackbox.large_acl
  samba.tests.samba_tool.ntacl
  samba.tests.ntacls
  samba.tests.posixacl

so various string comparisons of the sddl format now pass

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
[abartlet@samba.org Adapted to new stricter SDDL behaviour around leading zeros in hex
 numbers, eg 0x001]

diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index ee024b2b0d7148cf0228e22658e7019c6f840db3..e14b2748384210561973b56eb23e31f4b1bfbb5d 100644 (file)
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -333,6 +333,22 @@ static const struct flag_map decode_ace_access_mask[] = {
        { NULL, 0 },
 };
 
+
+static char *sddl_match_file_rights(TALLOC_CTX *mem_ctx,
+                               uint32_t flags)
+{
+       int i;
+
+       /* try to find an exact match */
+       for (i=0;decode_ace_access_mask[i].name;i++) {
+               if (decode_ace_access_mask[i].flag == flags) {
+                       return talloc_strdup(mem_ctx,
+                                       decode_ace_access_mask[i].name);
+               }
+       }
+       return NULL;
+}
+
 static bool sddl_decode_access(const char *str, uint32_t *pmask)
 {
        const char *str0 = str;
@@ -776,8 +792,12 @@ static char *sddl_transition_encode_ace(TALLOC_CTX *mem_ctx, const struct securi
        sddl_mask = sddl_flags_to_string(tmp_ctx, ace_access_mask,
                                         ace->access_mask, true);
        if (sddl_mask == NULL) {
-               sddl_mask = talloc_asprintf(tmp_ctx, "0x%x",
-                                            ace->access_mask);
+               sddl_mask = sddl_match_file_rights(tmp_ctx,
+                               ace->access_mask);
+               if (sddl_mask == NULL) {
+                       sddl_mask = talloc_asprintf(tmp_ctx, "0x%x",
+                                                   ace->access_mask);
+               }
                if (sddl_mask == NULL) {
                        goto failed;
                }

diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 0296d5730c3c879f5fa10b1c43310c665a9fd945..8cb7e5554a0eaa288881c834f7a117b2c6f5dd00 100644 (file)
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1598,8 +1598,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
     return samdb
 
 
-SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x1f01ff;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;0x1f01ff;;;SY)(A;OICI;0x1200a9;;;AU)"
-POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x1f01ff;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;0x1f01ff;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1301bf;;;PA)"
+SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)"
+POLICIES_ACL = "O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1301bf;;;PA)"
 SYSVOL_SERVICE = "sysvol"
 
 

diff --git a/python/samba/tests/ntacls.py b/python/samba/tests/ntacls.py
index e4e133fc061204b3872e82bc2bf1f2466aa97bf2..4d625768d9179a26a79854272844242b9059091f 100644 (file)
--- a/python/samba/tests/ntacls.py
+++ b/python/samba/tests/ntacls.py
@@ -26,7 +26,7 @@ from samba.dcerpc import security
 from samba.tests import TestCaseInTempDir, SkipTest
 from samba.auth_util import system_session_unix
 
-NTACL_SDDL = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x1f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
+NTACL_SDDL = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 DOMAIN_SID = "S-1-5-21-2212615479-2695158682-2101375467"
 
 

diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py
index 3e4d266a634576760b823d03fdee1ca34e3e3e08..0ef689d5cf386984a6a6b848124ba13672975f69 100644 (file)
--- a/python/samba/tests/posixacl.py
+++ b/python/samba/tests/posixacl.py
@@ -31,7 +31,7 @@ from samba.auth_util import system_session_unix
 from errno import ENODATA
 
 DOM_SID = "S-1-5-21-2212615479-2695158682-2101375467"
-ACL = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x1f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
+ACL = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
 
 
 class PosixAclMappingTests(SmbdBaseTests):
@@ -128,7 +128,7 @@ class PosixAclMappingTests(SmbdBaseTests):
 
     def test_setntacl_smbd_invalidate_getntacl_smbd(self):
         acl = ACL
-        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x1f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x1200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
+        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;FA;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x1200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
         os.chmod(self.tempf, 0o750)
         setntacl(self.lp, self.tempf, acl, DOM_SID,
                  self.get_session_info(), use_ntvfs=False)
@@ -161,7 +161,7 @@ class PosixAclMappingTests(SmbdBaseTests):
 
     def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
         acl = ACL
-        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x1f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
+        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x1f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;FR;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
         setntacl(self.lp, self.tempf, acl, DOM_SID,
                  self.get_session_info(), use_ntvfs=False)
         # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
@@ -173,7 +173,7 @@ class PosixAclMappingTests(SmbdBaseTests):
     def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
         acl = ACL
         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
-        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x1f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x120089;;;BA)(A;;0x120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
+        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x1f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;FR;;;BA)(A;;FR;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
         setntacl(self.lp, self.tempf, acl, DOM_SID,
                  self.get_session_info(), use_ntvfs=False)
         # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
@@ -187,7 +187,7 @@ class PosixAclMappingTests(SmbdBaseTests):
         self.assertEqual(simple_acl_from_posix, facl.as_sddl(anysid))
 
     def test_setntacl_smbd_getntacl_smbd_gpo(self):
-        acl = "O:DAG:DUD:P(A;OICI;0x1f01ff;;;DA)(A;OICI;0x1f01ff;;;EA)(A;OICIIO;0x1f01ff;;;CO)(A;OICI;0x1f01ff;;;DA)(A;OICI;0x1f01ff;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+        acl = "O:DAG:DUD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
         setntacl(self.lp, self.tempf, acl, DOM_SID,
                  self.get_session_info(), use_ntvfs=False)
         facl = getntacl(self.lp, self.tempf, self.get_session_info(), direct_db_access=False)
@@ -217,7 +217,7 @@ class PosixAclMappingTests(SmbdBaseTests):
         user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
         smbd.set_simple_acl(self.tempf, 0o640, self.get_session_info())
         facl = getntacl(self.lp, self.tempf, self.get_session_info(), direct_db_access=False)
-        acl = "O:%sG:%sD:(A;;0x1f019f;;;%s)(A;;0x120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
+        acl = "O:%sG:%sD:(A;;0x1f019f;;;%s)(A;;FR;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
         anysid = security.dom_sid(security.SID_NT_SELF)
         self.assertEqual(acl, facl.as_sddl(anysid))
 
@@ -234,7 +234,7 @@ class PosixAclMappingTests(SmbdBaseTests):
         smbd.chown(self.tempdir, BA_id, SO_id, self.get_session_info())
         smbd.set_simple_acl(self.tempdir, 0o750, self.get_session_info())
         facl = getntacl(self.lp, self.tempdir, self.get_session_info(), direct_db_access=False)
-        acl = "O:BAG:SOD:(A;;0x1f01ff;;;BA)(A;;0x1200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x1f01ff;;;CO)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD)"
+        acl = "O:BAG:SOD:(A;;FA;;;BA)(A;;0x1200a9;;;SO)(A;;;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD)"
 
         anysid = security.dom_sid(security.SID_NT_SELF)
         self.assertEqual(acl, facl.as_sddl(anysid))
@@ -249,7 +249,7 @@ class PosixAclMappingTests(SmbdBaseTests):
         smbd.set_simple_acl(self.tempf, 0o640, self.get_session_info(), BA_gid)
         facl = getntacl(self.lp, self.tempf, self.get_session_info(), direct_db_access=False)
         domsid = passdb.get_global_sam_sid()
-        acl = "O:%sG:%sD:(A;;0x1f019f;;;%s)(A;;0x120089;;;BA)(A;;0x120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
+        acl = "O:%sG:%sD:(A;;0x1f019f;;;%s)(A;;FR;;;BA)(A;;FR;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
         anysid = security.dom_sid(security.SID_NT_SELF)
         self.assertEqual(acl, facl.as_sddl(anysid))
 

diff --git a/python/samba/tests/samba_tool/ntacl.py b/python/samba/tests/samba_tool/ntacl.py
index 555d57b8f19cd39bafd242b24a4d2615a0b3b03d..caf2d7288f4447292e4e657d99c544a92fa6e3c6 100644 (file)
--- a/python/samba/tests/samba_tool/ntacl.py
+++ b/python/samba/tests/samba_tool/ntacl.py
@@ -100,7 +100,7 @@ class NtACLCmdSysvolTestCase(SambaToolCmdTest):
 class NtACLCmdGetSetTestCase(SambaToolCmdTest):
     """Tests for samba-tool ntacl get/set subcommands"""
 
-    acl = "O:DAG:DUD:P(A;OICI;0x1f01ff;;;DA)(A;OICI;0x1f01ff;;;EA)(A;OICIIO;0x1f01ff;;;CO)(A;OICI;0x1f01ff;;;DA)(A;OICI;0x1f01ff;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+    acl = "O:DAG:DUD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
 
     def test_ntvfs(self):
         path = os.environ['SELFTEST_PREFIX']
@@ -163,9 +163,9 @@ class NtACLCmdGetSetTestCase(SambaToolCmdTest):
 
 class NtACLCmdChangedomsidTestCase(SambaToolCmdTest):
     """Tests for samba-tool ntacl changedomsid subcommand"""
-
+    maxDiff = 10000
     acl = "O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
-    new_acl="O:S-1-5-21-2212615479-2695158682-2101375468-512G:S-1-5-21-2212615479-2695158682-2101375468-513D:P(A;OICI;0x1f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x1f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)(A;OICIIO;0x1f01ff;;;CO)(A;OICI;0x1f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x1f01ff;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+    new_acl="O:S-1-5-21-2212615479-2695158682-2101375468-512G:S-1-5-21-2212615479-2695158682-2101375468-513D:P(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-519)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
     domain_sid=os.environ['DOMSID']
     new_domain_sid="S-1-5-21-2212615479-2695158682-2101375468"
 

diff --git a/selftest/knownfail.d/sddl b/selftest/knownfail.d/sddl
index 516c33b372da2fecd82dae082483614b92be99c7..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 100644 (file)
--- a/selftest/knownfail.d/sddl
+++ b/selftest/knownfail.d/sddl
@@ -1,4 +0,0 @@
-^samba.tests.sddl.+.SddlCanonical.test_sddl_D:.A;;FA;;;WD..none
-^samba.tests.sddl.+.SddlNonCanonical.test_sddl_D:.A;;0x001f01ff;;;WD..A;;0x001f01ff;;;S-1-5-21-11111111-22222222-33333333-1001..A;;0x001f01ff;;;S-1+11522-more-characters.none
-^samba.tests.sddl.+.SddlNonCanonical.test_sddl_O:LAG:BAD:P.A;OICI;0x1f01ff;;;BA..none
-^samba.tests.sddl.+.SddlNonCanonical.test_sddl_O:S-1-5-21-2212615479-2695158682-2101375468-512G:S-1-5-21-2212615479-2695158682-2101375468-513D:P.A;+482-more-characters.none

diff --git a/source3/script/tests/test_large_acl.sh b/source3/script/tests/test_large_acl.sh
index b80b15ec094ff7746f0b412c750592aad792e6c9..ac960298cc01fe2dbd7f81bfc77b725d164ee763 100755 (executable)
--- a/source3/script/tests/test_large_acl.sh
+++ b/source3/script/tests/test_large_acl.sh
@@ -43,14 +43,11 @@ build_files
 test_large_acl()
 {
        #An ACL with 200 entries, ~7K
-       new_acl=$(seq 1001 1200 | sed -r -e '1 i\D:(A;;0x001f01ff;;;WD)' -e 's/(.*)/(A;;0x001f01ff;;;S-1-5-21-11111111-22222222-33333333-\1)/' | tr -d '\n')
-        # the ace flags will lose their 0x00 padding when reserialised from the SD.
-        new_acl_out=$(echo -n "$new_acl" | perl -p -e 's/0x00/0x/g')
+       new_acl=$(seq 1001 1200 | sed -r -e '1 i\D:(A;;FA;;;WD)' -e 's/(.*)/(A;;FA;;;S-1-5-21-11111111-22222222-33333333-\1)/' | tr -d '\n')
        $SMBCACLS //$SERVER/acl_xattr_ign_sysacl_windows -U $USERNAME%$PASSWORD --sddl -S $new_acl large_acl
        actual_acl=$($SMBCACLS //$SERVER/acl_xattr_ign_sysacl_windows -U $USERNAME%$PASSWORD --sddl --numeric large_acl 2>/dev/null | sed -rn 's/.*(D:.*)/\1/p' | tr -d '\n')
-       if [ ! "$new_acl_out" = "$actual_acl" ]; then
-               echo -e "given:\n$new_acl\n"
-               echo -e "expected:\n$new_acl_out\nactual:\n$actual_acl\n"
+       if [ ! "$new_acl" = "$actual_acl" ]; then
+               echo -e "expected:\n$new_acl\nactual:\n$actual_acl\n"
                return 1
        fi
 }

diff --git a/testprogs/blackbox/test_samba-tool_ntacl.sh b/testprogs/blackbox/test_samba-tool_ntacl.sh
index 813edd71e4c1ddf455638fabcdb51bb75f88d953..fadb511f70e4143dfaa328d83814e8f79d6c728b 100755 (executable)
--- a/testprogs/blackbox/test_samba-tool_ntacl.sh
+++ b/testprogs/blackbox/test_samba-tool_ntacl.sh
@@ -18,15 +18,13 @@ samba_tool="$samba4bindir/samba-tool"
 testfile="$PREFIX/ntacl_testfile"
 
 # acl from samba_tool/ntacl.py tests
-acl="O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
-
-new_acl="O:S-1-5-21-2212615479-2695158682-2101375468-512G:S-1-5-21-2212615479-2695158682-2101375468-513D:P(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+acl="O:DAG:DUD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+new_acl="O:S-1-5-21-2212615479-2695158682-2101375468-512G:S-1-5-21-2212615479-2695158682-2101375468-513D:P(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-519)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;FA;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+new_domain_sid="S-1-5-21-2212615479-2695158682-2101375468"
 
 acl_without_padding=$(echo -n "$acl" | perl -p -e 's/0x00/0x/g')
 new_acl_without_padding=$(echo -n "$new_acl" | perl -p -e 's/0x00/0x/g')
 
-new_domain_sid="S-1-5-21-2212615479-2695158682-2101375468"
-
 . $(dirname $0)/subunit.sh
 
 UID_WRAPPER_ROOT=1