PATCHES: On enabling read ACLs on LDAP searches for 4.0
Andrew Bartlett
abartlet at samba.org
Wed Dec 5 23:20:01 MST 2012
On Sun, 2012-11-25 at 23:39 +0100, Stefan (metze) Metzmacher wrote:
> Hi,
>
> I've some patches which fix several bugs:
>
> Read ACL are not enabled by default on DS
> https://bugzilla.samba.org/show_bug.cgi?id=8620
>
> ACL module: support the tree delete right
> https://bugzilla.samba.org/show_bug.cgi?id=7711
>
> ACL are not recalculated if parent is changed and inherit is enabled
> https://bugzilla.samba.org/show_bug.cgi?id=8621
>
> The branch is available here:
> https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls
>
> The only patch which lets take autobuild later (by about 20 mins)
> is the last one:
> s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for
> replicated changes
> https://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=ddd27d2b15a0b7e72abeeb4a259d83691d14abd6
>
> I'll try to debug why it slows down make test tomorrow.
>
> But the important thing is that
> s4:dsdb/acl_read: enable acl checking on search by default
> https://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=39b425ac31a4497c162ffb29ccc92dbca95def69
> doesn't cause a slow down.
>
> Please have a look at this important fixes, it would be good to get some
> additional testing.
The result of that testing isn't positive, I'm sorry to say. I'm back
from my time away, and I've run a wintest on current master.
Now, wintest isn't the most reliable of beasts (frankly, it's a royal
pain, only surpassed by the pain of doing this totally manually), but
I'm confident that the attached error message indicates an ACL issue.
Additionally, a wintest with 'acl:search=false' set passes that step.
Given this, and if the separate issue of MMC crashing is also related,
we may have no choice but to revert the default here, given the
timeframe :-(
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
Starting...
Checking if Group Policy Management Console needs to be installed...
Changing domain membership of this computer...
Press CTRL-C to: Cancel
Located domain controller obed.s4.howto.abartlet.net for domain s4.howto.abartlet.net
Stopping service NETLOGON
The attempted domain controller operation has completed
The functional level of the forest is incompatible with this operating system.
The operation failed because:
The functional level of the forest is incompatible with this operating system.
"The version of the operating system installed on this server no longer supports the current AD DS Forest functional level or AD LDS Configuration Set functional level. You must raise the AD DS Forest functional level or AD LDS Configuration Set functional level before this server can become an AD DS Domain Controller or an AD LDS Instance in this Forest or Configuration Set."
This error can occur if you have not been granted necessary permissions to read data in the directory. For more information, please see article 936241 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=88420).
Active Directory Domain Services was not installed.
Active Directory Domain Services (AD DS) binaries will remain installed. To uninstall AD DS binaries, use Server Manager to remove the AD DS role.
Windows Server 2008 and "Windows Server 2008 R2" domain controllers have a new more secure default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0." This setting prevents Microsoft Windows and non-Microsoft SMB "clients" from using weaker NT 4.0 style cryptography algorithms when establishing security channel sessions against Windows Server 2008 or "Windows Server 2008 R2" domain controllers. As a result of this new default, operations or applications that require a security channel serviced by Windows Server 2008 or "Windows Server 2008 R2" domain controllers might fail.
Platforms impacted by this change include Windows NT 4.0, as well as non-Microsoft SMB "clients" and network-attached storage (NAS) devices that do not support stronger cryptography algorithms. Some operations on clients running versions of Windows earlier than Windows Vista with Service Pack 1 are also impacted, including domain join operatioecho off
echo START DCPROMO log
more c:\windows\debug\dcpromoui.log
echo END DCPROMO log
ns performed by the Active Directory Migration Tool or Windows Deployment Services.
For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).
You must restart this computer to complete the operation.
C:\Users\Administrator>echo off
echo START DCPROMO log
START DCPROMO log
more c:\windows\debug\dcpromoui.log
dcpromoui 7EC.6E4 0000 11:52:59.031 opening log file C:\Windows\debug\dcpromoui.log
dcpromoui 7EC.6E4 0001 11:52:59.031 C:\Windows\system32\dcpromo.exe
dcpromoui 7EC.6E4 0002 11:52:59.031 file timestamp 07/14/2009 12:39:02.901
dcpromoui 7EC.6E4 0003 11:52:59.031 local time 02/21/2012 11:52:59.031
dcpromoui 7EC.6E4 0004 11:52:59.031 running Windows NT 6.1 build 7601 Service Pack 1 (BuildLab:7601.win7sp1_gdr.110622-1506) amd64
dcpromoui 7EC.6E4 0005 11:52:59.031 logging flags 0001007C
dcpromoui 7EC.6E4 0006 11:52:59.031 Enter wmain
dcpromoui 7EC.6E4 0007 11:52:59.031 Enter CheckArgs
dcpromoui 7EC.6E4 0008 11:52:59.031 Enter CArgumentsSpec::ValidateArgument answer
dcpromoui 7EC.6E4 0009 11:52:59.031 Detecting WOW64
dcpromoui 7EC.6E4 000A 11:52:59.031 Detecting OS product type
dcpromoui 7EC.6E4 000B 11:52:59.031 Enter CheckIsServerCore
dcpromoui 7EC.6E4 000C 11:52:59.031 It is not on server foundation
dcpromoui 7EC.6E4 000D 11:52:59.031 HRESULT = 0x00000000
dcpromoui 7EC.6E4 000E 11:52:59.031 Enter IsSKUSupported
dcpromoui 7EC.6E4 000F 11:52:59.031 GUI mode: false
dcpromoui 7EC.6E4 0010 11:52:59.031 Create mutex returns 0x0
dcpromoui 7EC.6E4 0011 11:52:59.031 Console mode
dcpromoui 7EC.6E4 0012 11:52:59.031 Enter CheckInstallStates
dcpromoui 7EC.6E4 0013 11:52:59.031 Detecting NetFx3 component install state
dcpromoui 7EC.45C 0014 11:52:59.031 Enter CbsGetUpdateInstallState
dcpromoui 7EC.45C 0015 11:52:59.031 The category is 3
dcpromoui 7EC.45C 0016 11:52:59.031 Enter FindRoleInfo
dcpromoui 7EC.45C 0017 11:52:59.031 Enter CheckIsServerCore
dcpromoui 7EC.45C 0018 11:52:59.031 It is not on server foundation
dcpromoui 7EC.45C 0019 11:52:59.031 HRESULT = 0x00000000
dcpromoui 7EC.45C 001A 11:52:59.031 Enter GetUpdateName
dcpromoui 7EC.45C 001B 11:52:59.031 Enter GetPackageName
dcpromoui 7EC.45C 001C 11:53:04.897 Package name for Microsoft-Windows-Foundation-Package is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514
dcpromoui 7EC.45C 001D 11:53:04.912 Enter CbsGetUpdateInstallState
dcpromoui 7EC.45C 001E 11:53:04.912 package name is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514 and update name is NetFx3
dcpromoui 7EC.45C 001F 11:53:05.833 HRESULT = 0x00000000
dcpromoui 7EC.6E4 0020 11:53:05.848 HRESULT = 0x00000000
dcpromoui 7EC.6E4 0021 11:53:05.848 NetFx3 component install state is 7
dcpromoui 7EC.6E4 0022 11:53:05.848 Detecting DS component install state
dcpromoui 7EC.7B8 0023 11:53:05.848 Enter CbsGetUpdateInstallState
dcpromoui 7EC.7B8 0024 11:53:05.848 The category is 0
dcpromoui 7EC.7B8 0025 11:53:05.848 Enter FindRoleInfo
dcpromoui 7EC.7B8 0026 11:53:05.848 Enter CheckIsServerCore
dcpromoui 7EC.7B8 0027 11:53:05.848 It is not on server foundation
dcpromoui 7EC.7B8 0028 11:53:05.848 HRESULT = 0x00000000
dcpromoui 7EC.7B8 0029 11:53:05.848 Enter GetUpdateName
dcpromoui 7EC.7B8 002A 11:53:05.848 Enter GetPackageName
dcpromoui 7EC.7B8 002B 11:53:06.660 Package name for Microsoft-Windows-Foundation-Package is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514
dcpromoui 7EC.7B8 002C 11:53:06.691 Enter CbsGetUpdateInstallState
dcpromoui 7EC.7B8 002D 11:53:06.691 package name is Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514 and update name is DirectoryServices-DomainController
dcpromoui 7EC.7B8 002E 11:53:07.674 HRESULT = 0x00000000
dcpromoui 7EC.6E4 002F 11:53:07.674 HRESULT = 0x00000000
dcpromoui 7EC.6E4 0030 11:53:07.674 DS component install state is 7
dcpromoui 7EC.6E4 0000 11:53:07.720 appending to log file C:\Windows\debug\dcpromoui.log
dcpromoui 7EC.6E4 0001 11:53:07.720 C:\Windows\system32\dcpromo.exe
dcpromoui 7EC.6E4 0002 11:53:07.720 file timestamp 07/14/2009 12:39:02.901
dcpromoui 7EC.6E4 0003 11:53:07.720 C:\Windows\system32\dcpromocmd.dll
dcpromoui 7EC.6E4 0004 11:53:07.720 file timestamp 11/21/2010 00:26:03.122
dcpromoui 7EC.6E4 0005 11:53:07.720 local time 02/21/2012 11:53:07.720
dcpromoui 7EC.6E4 0006 11:53:07.720 running Windows NT 6.1 build 7601 Service Pack 1 (BuildLab:7601.win7sp1_gdr.110622-1506) amd64
dcpromoui 7EC.6E4 0007 11:53:07.720 logging flags 0011007C
dcpromoui 7EC.6E4 0008 11:53:07.720 Enter DCPromoEntryW
dcpromoui 7EC.6E4 0009 11:53:07.720 Enter Computer::RemoveLeadingBackslashes
dcpromoui 7EC.6E4 000A 11:53:07.720 Enter Computer::Refresh
dcpromoui 7EC.6E4 000B 11:53:07.720 Enter IsLocalComputer
dcpromoui 7EC.6E4 000C 11:53:07.720 Enter RefreshLocalInformation
dcpromoui 7EC.6E4 000D 11:53:07.720 Enter GetProductTypeFromRegistry
dcpromoui 7EC.6E4 000E 11:53:07.720 Enter RegistryKey::Open System\CurrentControlSet\Control\ProductOptions
dcpromoui 7EC.6E4 000F 11:53:07.720 Enter RegistryKey::GetValue-String ProductType
dcpromoui 7EC.6E4 0010 11:53:07.720 ServerNT
dcpromoui 7EC.6E4 0011 11:53:07.720 prodtype : 0x3
dcpromoui 7EC.6E4 0012 11:53:07.720 Enter GetSafebootOption
dcpromoui 7EC.6E4 0013 11:53:07.720 Enter RegistryKey::Open System\CurrentControlSet\Control\SafeBoot\Option
dcpromoui 7EC.6E4 0014 11:53:07.720 HRESULT = 0x80070002
dcpromoui 7EC.6E4 0015 11:53:07.720 returning : 0x0
dcpromoui 7EC.6E4 0016 11:53:07.720 Enter DetermineRoleAndMembership
dcpromoui 7EC.6E4 0017 11:53:07.720 Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 7EC.6E4 0018 11:53:07.720 Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 7EC.6E4 0019 11:53:07.720 Calling DsRoleGetPrimaryDomainInformation
dcpromoui 7EC.6E4 001A 11:53:07.720 lpServer : (null)
dcpromoui 7EC.6E4 001B 11:53:07.720 InfoLevel : 0x1 (DsRolePrimaryDomainInfoBasic)
dcpromoui 7EC.6E4 001C 11:53:07.720 HRESULT = 0x00000000
dcpromoui 7EC.6E4 001D 11:53:07.720 MachineRole : 0x2
dcpromoui 7EC.6E4 001E 11:53:07.720 Flags : 0x0
dcpromoui 7EC.6E4 001F 11:53:07.720 DomainNameFlat : WORKGROUP
dcpromoui 7EC.6E4 0020 11:53:07.720 DomainNameDns : (null)
dcpromoui 7EC.6E4 0021 11:53:07.720 DomainForestName : (null)
dcpromoui 7EC.6E4 0022 11:53:07.720 Enter IsDcInRepairMode
dcpromoui 7EC.6E4 0023 11:53:07.720 HRESULT = 0x00000000
dcpromoui 7EC.6E4 0024 11:53:07.720 Enter State::DetermineRunContext
dcpromoui 7EC.6E4 0025 11:53:07.720 Enter DS::GetPriorServerRole
dcpromoui 7EC.6E4 0026 11:53:07.720 Enter MyDsRoleGetPrimaryDomainInformation
dcpromoui 7EC.6E4 0027 11:53:07.720 Enter MyDsRoleGetPrimaryDomainInformationHelper
dcpromoui 7EC.6E4 0028 11:53:07.720 Calling DsRoleGetPrimaryDomainInformation
dcpromoui 7EC.6E4 0029 11:53:07.720 lpServer : (null)
dcpromoui 7EC.6E4 002A 11:53:07.720 InfoLevel : 0x2 (DsRoleUpgradeStatus)
dcpromoui 7EC.6E4 002B 11:53:07.720 HRESULT = 0x00000000
dcpromoui 7EC.6E4 002C 11:53:07.720 OperationState : 0
dcpromoui 7EC.6E4 002D 11:53:07.720 PreviousServerState : 0
dcpromoui 7EC.6E4 002E 11:53:07.720 Enter Computer::GetNetbiosName
dcpromoui 7EC.6E4 002F 11:53:07.720 WIN2008R2-6
dcpromoui 7EC.6E4 0030 11:53:07.720 Enter Computer::GetRole WIN2008R2-6
dcpromoui 7EC.6E4 0031 11:53:07.720 role: 2
dcpromoui 7EC.6E4 0032 11:53:07.720 NT5_STANDALONE_SERVER
dcpromoui 7EC.6E4 0033 11:53:07.720 Enter State::GetRunContext NT5_STANDALONE_SERVER
dcpromoui 7EC.6E4 0034 11:53:07.720 Enter State::ProcessCmdLineOnlyArgs
dcpromoui 7EC.6E4 0035 11:53:07.720 Enter CArgumentsSpec::ValidateArgument answer
dcpromoui 7EC.6E4 0036 11:53:07.720 Enter State::DetermineArgumentSpec
dcpromoui 7EC.6E4 0037 11:53:07.720 Enter State::GetMode NORMAL
dcpromoui 7EC.6E4 0038 11:53:07.720 Enter State::GetOperation NONE
dcpromoui 7EC.6E4 0039 11:53:07.720 Enter ValidateArgs
dcpromoui 7EC.6E4 003A 11:53:07.720 found no additional commandline options
dcpromoui 7EC.6E4 003B 11:53:07.720 Enter State::SetupAnswerFile answers.txt
echo END DCPROMO log
dcpromoui 7EC.6E4 003C 11:53:07.720 Enter FS::NormalizePath answers.txt
dcpromoui 7EC.6E4 003D 11:53:07.720 answerfile resolved to: C:\Users\Administrator\answers.txt
dcpromoui 7EC.6E4 003E 11:53:07.720 Enter FS::GetPathSyntax C:\Users\Administrator\answers.txt
dcpromoui 7EC.6E4 003F 11:53:07.720 true
dcpromoui 7EC.6E4 0040 11:53:07.720 answerfile found
dcpromoui 7EC.6E4 0041 11:53:07.720 answerfile will be considered for unattend settings
dcpromoui 7EC.6E4 0042 11:53:07.720 Enter GetAllKeys
dcpromoui 7EC.6E4 0043 11:53:07.720 Key: ReplicaOrNewDomain
dcpromoui 7EC.6E4 0044 11:53:07.720 Key: ReplicaDomainDNSName
dcpromoui 7EC.6E4 0045 11:53:07.720 Key: PasswordReplicationDenied
dcpromoui 7EC.6E4 0046 11:53:07.720 Key: PasswordReplicationDenied
dcpromoui 7EC.6E4 0047 11:53:07.720 Key: PasswordReplicationDenied
dcpromoui 7EC.6E4 0048 11:53:07.720 Key: PasswordReplicationDenied
dcpromoui 7EC.6E4 0049 11:53:07.720 Key: PasswordReplicationDenied
dcpromoui 7EC.6E4 004A 11:53:07.720 Key: PasswordReplicationAllowed
dcpromoui 7EC.6E4 004B 11:53:07.720 Key: DelegatedAdmin
dcpromoui 7EC.6E4 004C 11:53:07.720 Key: SiteName
dcpromoui 7EC.6E4 004D 11:53:07.720 Key: InstallDNS
dcpromoui 7EC.6E4 004E 11:53:07.720 Key: ConfirmGc
dcpromoui 7EC.6E4 004F 11:53:07.720 Key: CreCleaning up ...
More information about the samba-technical
mailing list