PATCH: Re: ACLs Samba 4.0

Brian May brian at microcomaustralia.com.au
Mon Dec 17 20:46:14 MST 2012 

On 15 December 2012 21:18, Stefan (metze) Metzmacher <metze at samba.org>wrote:

> Here's the samba_upgradeprovision fix for this,
>
> can someone test this and push to master?
>

Not absolutely sure what I am doing here. I just like trying to break
things :-)


I applied the patch to /usr/local/samba/sbin/samba_upgradeprovision and run
it without parameters (does this even make changes???). This broke LDAP
entirely:

task_server_terminate: [Failed to obtain server credentials, perhaps a
standalone server?: NT_STATUS_NOT_FOUND
]
standard_terminate: reason[Failed to obtain server credentials, perhaps a
standalone server?: NT_STATUS_NOT_FOUND
]

So I ran it again as follows:

root at sys11:/usr/local/samba# ./sbin/samba_upgradeprovision --full
Creating a reference provision
Unable to find group id for BIND,
                set permissions to sam.ldb* files manually
Copy privilege
Update base samdb by searching difference with reference one
Starting update of samdb
There are 3 missing objects
Reloading a merged schema, which might trigger reindexing so please be
patient
Schema reloaded!
There are 0 changed objects
Update of samdb finished
Update of secrets.ldb
Update machine account
Fixing very old provision SD
Some (default) security descriptors (SDs) have changed, recalculating them
Upgrade finished!
Reopening samdb to trigger reindexing if needed after modification
Reindexing finished


Surprisingly, LDAP now works again, however, it looks like the same problem
as before.

kinit administrator
ldapsearch  -Y GSSAPI -R AD.VPAC.ORG -b dc=ad,dc=vpac,dc=org uid=aspiers -H
ldap://sys11.ad.vpac.org/ -A

lists more attributes then

kinit brian
ldapsearch  -Y GSSAPI -R AD.VPAC.ORG -b dc=ad,dc=vpac,dc=org uid=aspiers
 -H ldap://sys11.ad.vpac.org/ -A

Doing a sort and diff I get the following:

root at tyla:~# diff -u a.1 b.1
--- a.1 2012-12-18 14:38:32.609371584 +1100
+++ b.1 2012-12-18 14:29:56.814827227 +1100
@@ -1,42 +1,20 @@
-accountExpires:
-badPasswordTime:
-badPwdCount:
 cn:
 codePage:
 countryCode:
 displayName:
 distinguishedName:
-gecos:
-gidNumber:
 givenName:
-instanceType:
-jpegPhoto:
-lastLogoff:
-lastLogon:
-loginShell:
-logonCount:
-logonHours:
 mail:
-memberOf:
 mobile:
-msSFU30NisDomain:
 name:
 objectCategory:
 objectClass:
 objectGUID:
 objectSid:
 primaryGroupID:
-pwdLastSet:
 sAMAccountName:
 sAMAccountType:
 sn:
 telephoneNumber:
 title:
 uid:
-uidNumber:
-unixHomeDirectory:
-userAccountControl:
-uSNChanged:
-uSNCreated:
-whenChanged:
-whenCreated:

Which I think lists all the attributes I can get as Administrator but not
as non-Administrator. This might be correct behaviour for some of these
attributes, I don't think it is correct behaviour for all these attributes.


Did I correctly test your patch?

More information about the samba-technical mailing list