ntSecurityDescriptor and acl module

Nadezhda Ivanova nadezhda.ivanova at postpath.com
Fri Nov 20 01:53:24 MST 2009

Hi Tridge,
I do not think this change will affect the modification checks, as in those cases I search for the descriptor explicitly. It may affect the search, but we are not there yet so I will take it into account. Thanks for letting me know!

----- Original Message -----
> From: tridge at samba.org <tridge at samba.org>
> To: Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
> Cc: samba-technical at samba.org <samba-technical at samba.org>
> Sent: Friday, November 20, 2009 6:23:38 AM GMT+0200 Europe;Athens
> Subject: ntSecurityDescriptor and acl module

> > Hi Nadya,
> I've just changed operational.c to not give the ntSecurityDescriptor
> unless it's actually asked for. This matches AD behaviour, so I think
> it's correct, but I thought this may affect your ACL work so I am
> letting you know to watch out for it.
> The problem is that the acl module is higher up the module stack than
> the operational module. This means that the acl module will now never
> see a ntSecurityDescriptor attribute unless it was asked for. So if
> the acl module relies on getting a ntSecurityDescriptor attribute on
> every search then it will fail.
> make test still passes at the moment, but I know you're still working
> on the ACL code, so I thought it was worth mentioning.
> Cheers, Tridge

More information about the samba-technical mailing list