PATCHES: On enabling read ACLs on LDAP searches for 4.0

Stefan (metze) Metzmacher metze at
Thu Dec 6 14:00:21 MST 2012

Am 06.12.2012 16:40, schrieb Stefan (metze) Metzmacher:
> Am 06.12.2012 07:20, schrieb Andrew Bartlett:
>> On Sun, 2012-11-25 at 23:39 +0100, Stefan (metze) Metzmacher wrote:
>>> Hi,
>>> I've some patches which fix several bugs:
>>> Read ACL are not enabled by default on DS
>>> ACL module: support the tree delete right
>>> ACL are not recalculated if parent is changed and inherit is enabled
>>> The branch is available here:
>>> The only patch which lets take autobuild later (by about 20 mins)
>>> is the last one:
>>> s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for
>>> replicated changes
>>> I'll try to debug why it slows down make test tomorrow.
>>> But the important thing is that
>>> s4:dsdb/acl_read: enable acl checking on search by default
>>> doesn't cause a slow down.
>>> Please have a look at this important fixes, it would be good to get some
>>> additional testing.
>> The result of that testing isn't positive, I'm sorry to say.  I'm back
>> from my time away, and I've run a wintest on current master. 
>> Now, wintest isn't the most reliable of beasts (frankly, it's a royal
>> pain, only surpassed by the pain of doing this totally manually), but
>> I'm confident that the attached error message indicates an ACL issue.
>> Additionally, a wintest with 'acl:search=false' set passes that step.
>> Given this, and if the separate issue of MMC crashing is also related,
>> we may have no choice but to revert the default here, given the
>> timeframe :-(
> I found the problem regarding the MMC crashing,
> the problem was that the acl_read module filtered the nTSecurityDescriptor
> too much.
> Can you try again with attached patches?

Updated patches are in;a=shortlog;h=refs/heads/master4-ad-acls
They might not fix MMC but they fix some important bugs, but need some
more testing
as I don't understand the dirsync stuff...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list