PATCHES: On enabling read ACLs on LDAP searches for 4.0
Stefan (metze) Metzmacher
metze at samba.org
Thu Dec 6 14:00:21 MST 2012
Am 06.12.2012 16:40, schrieb Stefan (metze) Metzmacher:
> Am 06.12.2012 07:20, schrieb Andrew Bartlett:
>> On Sun, 2012-11-25 at 23:39 +0100, Stefan (metze) Metzmacher wrote:
>>> Hi,
>>>
>>> I've some patches which fix several bugs:
>>>
>>> Read ACL are not enabled by default on DS
>>> https://bugzilla.samba.org/show_bug.cgi?id=8620
>>>
>>> ACL module: support the tree delete right
>>> https://bugzilla.samba.org/show_bug.cgi?id=7711
>>>
>>> ACL are not recalculated if parent is changed and inherit is enabled
>>> https://bugzilla.samba.org/show_bug.cgi?id=8621
>>>
>>> The branch is available here:
>>> https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls
>>>
>>> The only patch which lets take autobuild later (by about 20 mins)
>>> is the last one:
>>> s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for
>>> replicated changes
>>> https://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=ddd27d2b15a0b7e72abeeb4a259d83691d14abd6
>>>
>>> I'll try to debug why it slows down make test tomorrow.
>>>
>>> But the important thing is that
>>> s4:dsdb/acl_read: enable acl checking on search by default
>>> https://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=39b425ac31a4497c162ffb29ccc92dbca95def69
>>> doesn't cause a slow down.
>>>
>>> Please have a look at this important fixes, it would be good to get some
>>> additional testing.
>>
>> The result of that testing isn't positive, I'm sorry to say. I'm back
>> from my time away, and I've run a wintest on current master.
>>
>> Now, wintest isn't the most reliable of beasts (frankly, it's a royal
>> pain, only surpassed by the pain of doing this totally manually), but
>> I'm confident that the attached error message indicates an ACL issue.
>>
>> Additionally, a wintest with 'acl:search=false' set passes that step.
>>
>> Given this, and if the separate issue of MMC crashing is also related,
>> we may have no choice but to revert the default here, given the
>> timeframe :-(
>
> I found the problem regarding the MMC crashing,
> the problem was that the acl_read module filtered the nTSecurityDescriptor
> too much.
>
> https://bugzilla.samba.org/show_bug.cgi?id=9470
> Can you try again with attached patches?
Updated patches are in
https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls
They might not fix MMC but they fix some important bugs, but need some
more testing
as I don't understand the dirsync stuff...
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121206/1caa51f2/attachment.pgp>
More information about the samba-technical
mailing list