bugs in the (re)calculation of SDs ?

Matthieu Patou mat at matws.net
Tue Jun 14 16:14:18 MDT 2011 

On 14/06/2011 17:58, Matthieu Patou wrote:
> On 14/06/2011 02:44, Nadezhda Ivanova wrote:
>> Hi Mat,
>> As far as I remember, Matthias hard-coded the SD on Sites to 
>> compensate for
>> a bug which I later fixed. It was a few months ago so I have 
>> forgotten the
>> exact case, but I believe the problem was that because of  an incorrect
>> function for finding an object's partition, partitions inherited ACEs 
>> from
>> the default naming context.
> Well obviously we still have a problem as we are not able to calculate 
> the same as the one that are hard coded.
> Did you push your fix in master ?
>
> I made a small analysis and got this:
>
> w2k8r2
> O:EAG:EA
> D:
> AI
> (A;;RPLCLORC;;;AU)
> (A;;RPWPCRCCLCLORCWOWDSW;;;EA)
> (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
> (A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)
> (A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;DA)
> (OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;ER) 
>
>
> recalcalcultated
> O:EAG:DU
> D:
> AI
> (A;;RPLCLORC;;;AU)
> (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
> (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
> (A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)
> (A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;DA)
>
> in provision/__init__.py
> "D:(A;;RPLCLORC;;;AU)" \
> "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \
> "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
>
> in a new provision
> O:EAG:DU
> D:
> AI
> (A;;RPLCLORC;;;AU)
> (A;;RPWPCRCCLCLORCWOWDSW;;;EA)
> (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
> (A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)
> (A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;DA)
>
>
> in a ~alpha11 provision
> O:EAG:DU
> D:
> AI
> (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)
> (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
> (A;;RPLCLORC;;;AU)
> (A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)
> (A;CIIOID;RPWPCRCCLCLORCWOWDSDSW;;;DA)
>
I made more investigations just to see how good or bad we are at 
generating SDs, well I must confess that I'm pretty pleased because if 
you take a w2k3r2 provision vampire it and then trick upgradeprovision 
to make him believe that it could upgrade it we have this deltas:


On object CN=Inter-Site 
Transports,CN=Sites,CN=Configuration,DC=w2k3r2,DC=home,DC=matws,DC=net 
ACL is different
     Current ACL hasn't a sacl part

On object CN=NTDS 
Settings,CN=ARES,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=w2k3r2,DC=home,DC=matws,DC=net 
ACL is different
     Current ACL hasn't a sacl part

On object 
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=w2k3r2,DC=home,DC=matws,DC=net 
ACL is different
     Current ACL hasn't a sacl part

On object CN=Sites,CN=Configuration,DC=w2k3r2,DC=home,DC=matws,DC=net 
ACL is different
     Part dacl is different between reference and current here is the 
detail:
         (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) ACE is not present in the 
reference
         (A;;RPWPCRCCLCLORCWOWDSW;;;EA) ACE is not present in the current
     Current ACL hasn't a sacl part

On object CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site 
Transports,CN=Sites,CN=Configuration,DC=w2k3r2,DC=home,DC=matws,DC=net 
ACL is different
     Current ACL hasn't a sacl part

On object CN=IP,CN=Inter-Site 
Transports,CN=Sites,CN=Configuration,DC=w2k3r2,DC=home,DC=matws,DC=net 
ACL is different
     Current ACL hasn't a sacl part

On object CN=NTDS Site 
Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=w2k3r2,DC=home,DC=matws,DC=net 
ACL is different
     Current ACL hasn't a sacl part

On object 
CN=Subnets,CN=Sites,CN=Configuration,DC=w2k3r2,DC=home,DC=matws,DC=net 
ACL is different
     Current ACL hasn't a sacl part

On object 
CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=w2k3r2,DC=home,DC=matws,DC=net 
ACL is different
     Current ACL hasn't a sacl part

On object 
CN=ARES,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=w2k3r2,DC=home,DC=matws,DC=net 
ACL is different
     Current ACL hasn't a sacl part

On object CN=SMTP,CN=Inter-Site 
Transports,CN=Sites,CN=Configuration,DC=w2k3r2,DC=home,DC=matws,DC=net 
ACL is different
     Current ACL hasn't a sacl part

On object CN=Guest,CN=Users,DC=w2k3r2,DC=home,DC=matws,DC=net ACL is 
different
     Part dacl is different between reference and current here is the 
detail:
         (OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561) 
ACE is not present in the current

On object CN=krbtgt,CN=Users,DC=w2k3r2,DC=home,DC=matws,DC=net ACL is 
different
     Part dacl is different between reference and current here is the 
detail:
         (OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561) 
ACE is not present in the current

On object CN=Administrator,CN=Users,DC=w2k3r2,DC=home,DC=matws,DC=net 
ACL is different
     Part dacl is different between reference and current here is the 
detail:
         (OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561) 
ACE is not present in the current


If we put appart sacl that are sometimes broken, here is the list of 
differences.

On object CN=Sites,CN=Configuration,DC=w2k3r2,DC=home,DC=matws,DC=net 
ACL is different
     Part dacl is different between reference and current here is the 
detail:
         (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) ACE is not present in the 
reference
         (A;;RPWPCRCCLCLORCWOWDSW;;;EA) ACE is not present in the current
     Current ACL hasn't a sacl part

I have the feeling that the fix introduced in this bug report: 
https://bugzilla.samba.org/show_bug.cgi?id=7403 is not the good one

On object CN=Guest,CN=Users,DC=w2k3r2,DC=home,DC=matws,DC=net ACL is 
different
     Part dacl is different between reference and current here is the 
detail:
         (OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561) 
ACE is not present in the current

On object CN=krbtgt,CN=Users,DC=w2k3r2,DC=home,DC=matws,DC=net ACL is 
different
     Part dacl is different between reference and current here is the 
detail:
         (OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561) 
ACE is not present in the current

On object CN=Administrator,CN=Users,DC=w2k3r2,DC=home,DC=matws,DC=net 
ACL is different
     Part dacl is different between reference and current here is the 
detail:
         (OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561) 
ACE is not present in the current

For this 3 ones, I wondering how it happens that the 
SID_BUILTIN_TS_LICENSE_SERVERS is granted rights on the property set 
5805bc62-bdc9-4428-a5e2-856a0f4c185e. I guess it's a question for dochelp.


Matthieu.

More information about the samba-technical mailing list