PATCHES: On enabling read ACLs on LDAP searches for 4.0

Stefan (metze) Metzmacher metze at samba.org
Thu Dec 6 08:40:36 MST 2012


Am 06.12.2012 07:20, schrieb Andrew Bartlett:
> On Sun, 2012-11-25 at 23:39 +0100, Stefan (metze) Metzmacher wrote:
>> Hi,
>>
>> I've some patches which fix several bugs:
>>
>> Read ACL are not enabled by default on DS
>> https://bugzilla.samba.org/show_bug.cgi?id=8620
>>
>> ACL module: support the tree delete right
>> https://bugzilla.samba.org/show_bug.cgi?id=7711
>>
>> ACL are not recalculated if parent is changed and inherit is enabled
>> https://bugzilla.samba.org/show_bug.cgi?id=8621
>>
>> The branch is available here:
>> https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls
>>
>> The only patch which lets take autobuild later (by about 20 mins)
>> is the last one:
>> s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for
>> replicated changes
>> https://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=ddd27d2b15a0b7e72abeeb4a259d83691d14abd6
>>
>> I'll try to debug why it slows down make test tomorrow.
>>
>> But the important thing is that
>> s4:dsdb/acl_read: enable acl checking on search by default
>> https://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=39b425ac31a4497c162ffb29ccc92dbca95def69
>> doesn't cause a slow down.
>>
>> Please have a look at this important fixes, it would be good to get some
>> additional testing.
> 
> The result of that testing isn't positive, I'm sorry to say.  I'm back
> from my time away, and I've run a wintest on current master. 
> 
> Now, wintest isn't the most reliable of beasts (frankly, it's a royal
> pain, only surpassed by the pain of doing this totally manually), but
> I'm confident that the attached error message indicates an ACL issue.
> 
> Additionally, a wintest with 'acl:search=false' set passes that step.
> 
> Given this, and if the separate issue of MMC crashing is also related,
> we may have no choice but to revert the default here, given the
> timeframe :-(

I found the problem regarding the MMC crashing,
the problem was that the acl_read module filtered the nTSecurityDescriptor
too much.

https://bugzilla.samba.org/show_bug.cgi?id=9470
Can you try again with attached patches?

metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tmp.diff
Type: text/x-diff
Size: 13201 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121206/7134dd47/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121206/7134dd47/attachment.pgp>


More information about the samba-technical mailing list