Domain Admins as a GID only and classicupgrade

Ricky Nance ricky.nance at weaubleau.k12.mo.us
Wed Aug 29 02:30:11 MDT 2012


Can the ACL code be dropped from classicupgrade until this is sorted, or
does that pose some sort of risk (security or stability wise)?

On Wed, Aug 29, 2012 at 3:27 AM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Wed, 2012-08-29 at 03:21 -0500, Ricky Nance wrote:
> > Andrew, there is still an ACL bug in classicupgrade (more in ntacls.py
> > I beleive because samba-tool ntacl sysvolreset breaks similar to
> > this), not sure if you want this out before you drop beta 8 or not,
> > but here is the error.  http://paste.ubuntu.com/1173392/  Let me know
> > what else I can get for you.
>
> The issue here is annoyingly fundamental, rather than a simple fix.
>
> The problem is that we need to make some files become owned by 'domain
> administrators', but the imported idmap has a GID for the -512 group.
>
> Because it won't map to a UID, we can't chown the file and it all falls
> flat.
>
> The fix is to find a way to map it to both on the input side, and store
> that mapping on the output side (as we decided to fill it in to the
> rfc2307 uidNumber/gidNumber, and there isn't an established way to say
> 'both' in that schema).
>
> Andrew Bartlett
>
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>


--


More information about the samba-technical mailing list