[PATCH] Re: The read ACL issues with Samba 4.0.0 (avoid need for acl:search=false)

Marc Muehlfeld Marc.Muehlfeld at medizinische-genetik.de
Sat Dec 29 05:33:16 MST 2012

Am 29.12.2012 05:17, schrieb Andrew Bartlett:
> If anybody who was having trouble with read ACLs, particularly anybody
> who had to set 'acl:search=false' in the smb.conf could please try this
> patch, and report results, it would be most helpful.

I compiled your patch against 4.0.0.

A non-domain-admin account is now seeing a bit more than before, but not as 
much, as before rc6.

I run the following command before and after applying the patch:

# ldapsearch -h localhost -b "dc=MUC,dc=medizinische-genetik,dc=de" -D 
"CN=nslcd-connect,OU=BackendUsers,dc=MUC,dc=medizinische-genetik,dc=de" -W 

When I diff the two outputs, I get:

< badPwdCount: 0
< lastLogoff: 0
< lastLogon: 0
< logonCount: 0
< accountExpires: 0
< logonHours:: ////////////////////////////
< pwdLastSet: 129924224420000000
< userAccountControl: 66048
< scriptPath: logonscript.bat
< memberOf: CN=SeqPilot,CN=Users,DC=muc,DC=medizinische-genetik,DC=de
< memberOf: CN=Immungenetik,CN=Users,DC=muc,DC=medizinische-genetik,DC=de
< memberOf: CN=ADUC-Admins,CN=Users,DC=muc,DC=medizinische-genetik,DC=de
< memberOf: CN=Molis43_Test_User,CN=Users,DC=muc,DC=medizinische-genetik,DC=de

But what I'm still missing for my nslcd is the attribute unixHomeDirectory. 
This non-domain-admins (like my nslcd account) still can only see when I set 


Marc Muehlfeld (IT-Leiter)
Zentrum fuer Humangenetik und Laboratoriumsmedizin
Dr. Klein, Dr. Rost und Kollegen
Lochhamer Str. 29 - D-82152 Martinsried
Telefon: +49(0)89/895578-0 - Fax: +49(0)89/895578-780

More information about the samba-technical mailing list