descriptor calculation for NC

Matthieu Patou mat at
Wed Nov 16 02:03:43 MST 2011

Hello Nadya,

On 16/11/2011 09:08, Nadezhda Ivanova wrote:
> Hi Matthieu,
> I agree with Andrew, we should always be checking if there is instanceType.
> When I first wrote that code we did not have any Application partitions,
> and replication wasn't ready yet too, so that wasn't a use case, but now it
> needs to be fixed. Could you please do it? I am trying to get back into
> samba development, but I will not have time to look into this until Sunday,
Well with amitay we fixed it yesterday, and amitay pushed it to autobuild.
> when I will also be investigating the proper setting of SD's on application
> partitions now that we have them.
Ok good, I'm still thinking that given your deep knowledge of ACLs the 
most hotspot is ACLs on read.


> Regards,
> Nadya
> On Wed, Nov 16, 2011 at 12:34 AM, Andrew Bartlett<abartlet at>wrote:
>> On Tue, 2011-11-15 at 23:06 +0100, Matthieu Patou wrote:
>>> Hello Nadya and all the SD/NtACLs experts,
>>> I'm debugging what's happening when a Windows DC asks samba to create a
>>> new NC for the DNS zone, and logically it's going in the descriptor
>>> module for the creation of the SD.
>>> I found this code and at least for my case it didn't work or more
>>> exactly I think it won't be correct
>>> So I'm wondering if:
>>> 1) the comment is still valid as when we replicate it seems that we have
>>> the instanceType attribute, the same for the provision and the same when
>>> the NC is created after (with DRS_addEntry for instance).
>>> 2) if we could introduce a test to check the presence of instanceType
>>> and the indicator of NC_HEAD and use it in priority.
>> This sounds exactly the right way to handle this.  We should generally
>> work this out based on instanceType.  The code in descriptor_modify
>> looks correct for add (reworked to look at the incoming add, not the
>> search).  Perhaps some of it can be factored out into a common routine.
>> Andrew Bartlett
>> --
>> Andrew Bartlett                      
>> Authentication Developer, Samba Team 

Matthieu Patou
Samba Team

More information about the samba-technical mailing list