[PATCH] Re: The read ACL issues with Samba 4.0.0 (avoid need for acl:search=false)
Marc Muehlfeld
Marc.Muehlfeld at medizinische-genetik.de
Sat Dec 29 05:33:16 MST 2012
Am 29.12.2012 05:17, schrieb Andrew Bartlett:
> If anybody who was having trouble with read ACLs, particularly anybody
> who had to set 'acl:search=false' in the smb.conf could please try this
> patch, and report results, it would be most helpful.
I compiled your patch against 4.0.0.
A non-domain-admin account is now seeing a bit more than before, but not as
much, as before rc6.
I run the following command before and after applying the patch:
# ldapsearch -h localhost -b "dc=MUC,dc=medizinische-genetik,dc=de" -D
"CN=nslcd-connect,OU=BackendUsers,dc=MUC,dc=medizinische-genetik,dc=de" -W
"(&(&(objectClass=user)(uidNumber=*))(sAMAccountName=muehlfeld))"
When I diff the two outputs, I get:
15d14
< badPwdCount: 0
18,19d16
< lastLogoff: 0
< lastLogon: 0
22d18
< logonCount: 0
28,29d23
< accountExpires: 0
< logonHours:: ////////////////////////////
46,47d39
< pwdLastSet: 129924224420000000
< userAccountControl: 66048
49,53d40
< scriptPath: logonscript.bat
< memberOf: CN=SeqPilot,CN=Users,DC=muc,DC=medizinische-genetik,DC=de
< memberOf: CN=Immungenetik,CN=Users,DC=muc,DC=medizinische-genetik,DC=de
< memberOf: CN=ADUC-Admins,CN=Users,DC=muc,DC=medizinische-genetik,DC=de
< memberOf: CN=Molis43_Test_User,CN=Users,DC=muc,DC=medizinische-genetik,DC=de
But what I'm still missing for my nslcd is the attribute unixHomeDirectory.
This non-domain-admins (like my nslcd account) still can only see when I set
'acl:search=false'.
Regards,
Marc
--
Marc Muehlfeld (IT-Leiter)
Zentrum fuer Humangenetik und Laboratoriumsmedizin
Dr. Klein, Dr. Rost und Kollegen
Lochhamer Str. 29 - D-82152 Martinsried
Telefon: +49(0)89/895578-0 - Fax: +49(0)89/895578-780
http://www.medizinische-genetik.de
More information about the samba-technical
mailing list