bugs in the (re)calculation of SDs ?
Nadezhda Ivanova
nivanova at samba.org
Mon Jun 13 16:44:21 MDT 2011
Hi Mat,
As far as I remember, Matthias hard-coded the SD on Sites to compensate for
a bug which I later fixed. It was a few months ago so I have forgotten the
exact case, but I believe the problem was that because of an incorrect
function for finding an object's partition, partitions inherited ACEs from
the default naming context. This was fixed, but I do not remember why the
hard-coded SD remains, I'll take a look. As for SACLs, their creation
follows the general SD rules but I haven't really tested those as up to now
they weren't of interest, as they mostly govern features such as auditing
that Samba does not yet support, so it is possible something is still buggy
there. I'll get on IRC tomorrow and try to reproduce and analyze the issue.
Just curious, what tool are you using to compare SDs?
Regards,
Nadya
On Tue, Jun 14, 2011 at 12:55 AM, Matthieu Patou <mat at samba.org> wrote:
> On 14/06/2011 01:35, Matthieu Patou wrote:
>
>> Hello Nadya, and all !
>>
>> I'm working one more time on upgradeprovision and I'm facing some
>> "challenges" with the security descriptors.
>> In the attached log you have the output of upgradeprovision after the
>> second run on a given provision. At this point we expect the two provision
>> to be quite similar. It's the case but the differences are on the SDs and
>> they are not very small. This occur despite the fact that the first run has
>> modified all the objects with the recalculate_sd control so *normaly* we
>> should have the correct SD with the correct calculation method.
>>
>> Can you have a look ?
>>
>> Ok, that's not that strange I just didn't really called recalculate,
> still have this:
>
> On object CN=SMTP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is
> different
> Current ACL hasn't a sacl part
>
> On object CN=IP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is
> different
> Current ACL hasn't a sacl part
>
> On object
> CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp
> ACL is different
> Current ACL hasn't a sacl part
>
> On object CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is
> different
> Current ACL hasn't a sacl part
>
> On object CN=Inter-Site
> Transports,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is
> different
> Current ACL hasn't a sacl part
>
> On object CN=Subnets,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp
> ACL is different
> Current ACL hasn't a sacl part
>
> On object
> CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp
> ACL is different
> Current ACL hasn't a sacl part
>
> On object CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp ACL is
> different
> Part dacl is different between reference and current here is the detail:
> (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) ACE is not present in the
> reference
> (A;;RPWPCRCCLCLORCWOWDSW;;;EA) ACE is not present in the current
> Current ACL hasn't a sacl part
>
> On object CN=NTDS
> Settings,CN=ARES,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp
> ACL is different
> Current ACL hasn't a sacl part
>
> On object
> CN=ARES,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp
> ACL is different
> Current ACL hasn't a sacl part
>
> On object CN=NTDS Site
> Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=alpha13,DC=samba,DC=corp
> ACL is different
> Current ACL hasn't a sacl part
>
> So most of the objects are Ok but we have a couple where there is no sacl
> part ...
>
> The difference on "Sites" is logical as we don't do the usual ACL
> calculation, the question is why in this changeset 8b9a08e1 (Matthias allo
> ?) we started to set it in hard. Or more exactly why aren't we able to
> calculate it correctly (question to dochelp maybe).
>
>
> Matthieu.-- Matthieu Patou Samba Team http://samba.org Private repo
> http://git.samba.org/?p=mat/samba.git;a=summary
>
More information about the samba-technical
mailing list