bugs in the (re)calculation of SDs ?

Matthieu Patou mat at samba.org
Mon Jun 13 15:55:47 MDT 2011 

On 14/06/2011 01:35, Matthieu Patou wrote:
> Hello Nadya, and all !
>
> I'm working one more time on upgradeprovision and I'm facing some 
> "challenges" with the security descriptors.
> In the attached log you have the output of upgradeprovision after the 
> second run on a given provision. At this point we expect the two 
> provision to be quite similar. It's the case but the differences are 
> on the SDs and they are not very small. This occur despite the fact 
> that the first run has modified all the objects with the 
> recalculate_sd control so *normaly* we should have the correct SD with 
> the correct calculation method.
>
> Can you have a look ?
>
Ok, that's not that strange I just didn't really called recalculate, 
still have this:

On object CN=SMTP,CN=Inter-Site 
Transports,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is 
different
     Current ACL hasn't a sacl part

On object CN=IP,CN=Inter-Site 
Transports,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is 
different
     Current ACL hasn't a sacl part

On object 
CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp 
ACL is different
     Current ACL hasn't a sacl part

On object CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site 
Transports,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is 
different
     Current ACL hasn't a sacl part

On object CN=Inter-Site 
Transports,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is 
different
     Current ACL hasn't a sacl part

On object 
CN=Subnets,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is 
different
     Current ACL hasn't a sacl part

On object 
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp 
ACL is different
     Current ACL hasn't a sacl part

On object CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is 
different
     Part dacl is different between reference and current here is the 
detail:
         (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) ACE is not present in the 
reference
         (A;;RPWPCRCCLCLORCWOWDSW;;;EA) ACE is not present in the current
     Current ACL hasn't a sacl part

On object CN=NTDS 
Settings,CN=ARES,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp 
ACL is different
     Current ACL hasn't a sacl part

On object 
CN=ARES,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp 
ACL is different
     Current ACL hasn't a sacl part

On object CN=NTDS Site 
Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp 
ACL is different
     Current ACL hasn't a sacl part

So most of the objects are Ok but we have a couple where there is no 
sacl part ...

The difference on "Sites" is logical as we don't do the usual ACL 
calculation, the question is why in this changeset 8b9a08e1 (Matthias 
allo ?) we started to set it in hard. Or more exactly why aren't we able 
to calculate it correctly (question to dochelp maybe).

Matthieu.-- Matthieu Patou Samba Team http://samba.org Private repo 
http://git.samba.org/?p=mat/samba.git;a=summary

More information about the samba-technical mailing list