on DS acl

Nadezhda Ivanova nivanova at samba.org
Thu Apr 8 02:19:28 MDT 2010 

Hi Matthieu,
We shouldn't be duplicating the ACEs, its a bug. From the point of view of
the access checks a harmless one as it does not change the results of access
checking, but maybe it affects tools that expect differently? I will be
going back to descriptor generation soon to make sure ACE ordering is
correct and fix issues like that, thanks for bringing it to my attention.

Regards,
Nadya

On Thu, Apr 8, 2010 at 12:23 AM, Matthieu Patou <
mat+Informatique.Samba at matws.net <mat%2BInformatique.Samba at matws.net>>wrote:

> Hello Nadya,
>
> I was looking a bit more carefully at the ACL due to differences in upgrade
> provision and I found this:
>
> After recalculation
> O:DAG:DU
>
> D:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;ID;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CIID;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CIID;RPWPCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIIOID;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;CIID;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIID;RPLCLORC;;;AU)(OA;CIID;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CIID;RPLCLORC;;;ED)
>
> S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>
> From provision
> O:DAG:DU
>
> D:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;ID;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CIID;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CIID;RPWPCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIIOID;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;CIID;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIID;RPLCLORC;;;AU)(OA;CIID;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CIID;RPLCLORC;;;ED)(A;ID;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CIIOID;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)
>
> S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>
> There is a couple of subtle difference on the DACL (SACL is ok) this two
> entries are duplicated:
>
> * (A;ID;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)
> * (A;CIIOID;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)
>
> Are in the reference provision but not from the in the upgraded provision,
> this small difference has a simple explanation: for the core GPO we set
> manually the ACL in the ldif.
>
> My question: is it normal that when specifying 1 ACE with CO I finally get
> a second one (I suppose that there is some magic implying the default ACL
> for this object class also).
>
> Matthieu.
>
>
>

More information about the samba-technical mailing list