[Patch] add --as-sddl option to getntacl and create setntacl

Matthieu Patou mat at matws.net
Tue Jan 12 01:54:36 MST 2010

Here is the final version, with reworked comments.

I added two patches for upgradeprovision as it is a bit touched by this 
patchs set.

Patches are at 
it starts at ntacl_start and go up to ntacl_step2


On 12/01/2010 03:57, Matthieu Patou wrote:
> So patches have been reworked a little bit to comply with andrew B and
> jelmer remarks.
> make test is also good (not worse than without the patches ;-)
> Let me know
> Matthieu.
> On 11/01/2010 20:49, Matthieu Patou wrote:
>> Hello,
>> I am pushing one more time this pile of patch to you for some review
>> here:
>> http://repo.or.cz/w/Samba/ekacnet.git/shortlog/refs/heads/ntacls-review
>> Comparing to last email differences starts at ntalc_step1 and go to
>> ntacl_step2.
>> The major differences are:
>> * reimplementation of set/getntacl in python and move to net acl
>> subcommands
>> * use of multiple backends for storing/querying the ntacl (native fs
>> xattr or tdb file)
>> Please comments.
>> Please also note that I didn't have the time yet to make full
>> regressions tests so I am mostly waiting for your comments (tests are in
>> process).
>> Matthieu.
>> On 28/10/2009 10:35, Matthieu Patou wrote:
>>> On 10/28/2009 08:57 AM, Andrew Bartlett wrote:
>>>> On Mon, 2009-10-26 at 00:33 +0300, Matthieu Patou wrote:
>>>>> Hello,
>>>>> Find attach 2 patchs, the first one for creating the setntacl tool and
>>>>> for improving command line parsing in getntacl.
>>>>> The second one is an improvement of the provision to put all the GPO
>>>>> stuff together (and out of setup_samdb). It also include calls to
>>>>> setntacl for setting ACL on files as they are in the AD so that GPMC
>>>>> will be more happy.
>>>> The tools look good, but need tests (otherwise they will shortly
>>>> break).
>>> I'll provide some of them, it's not gonna be very difficult I guess.
>>>> The changes to provision however still need work - I really don't like
>>>> the idea of shelling out to setntacl like that. Can we instead have
>>>> what that tool does put into a library and then wrapped with python
>>>> bindings?
>>> I was pretty sure that you'll make this objection.
>>> Appart from the command line stuff, it's mosty library calls as we are
>>> transforming a sddl string into a SD and then transforming it into a
>>> blob (ndr_push) and this blob is written as an extended attribute.
>>> The first part has already python binding, the ndr_push I think also,
>>> I'm not sure for the last part but it's even more just an I/O stuff.
>>> So basicaly I can make a python function that takes a SDDL in entry an
>>> that write it into a file and wrote 1/2 tests for it.
>>> Matthieu.

More information about the samba-technical mailing list