ACLs on Attributes that do not have attributeSecurityGUID

Andrew Bartlett abartlet at
Sun Dec 30 05:05:12 MST 2012

On Sun, 2012-12-30 at 10:36 +1100, Andrew Bartlett wrote:
> On Sat, 2012-12-29 at 13:33 +0100, Marc Muehlfeld wrote:
> > Am 29.12.2012 05:17, schrieb Andrew Bartlett:
> > > If anybody who was having trouble with read ACLs, particularly anybody
> > > who had to set 'acl:search=false' in the smb.conf could please try this
> > > patch, and report results, it would be most helpful.
> > 
> > I compiled your patch against 4.0.0.
> > 
> > A non-domain-admin account is now seeing a bit more than before, but not as 
> > much, as before rc6.
> > But what I'm still missing for my nslcd is the attribute unixHomeDirectory. 
> > This non-domain-admins (like my nslcd account) still can only see when I set 
> > 'acl:search=false'.
> This is interesting.  Indeed, we seem to have fixed the other basic
> attributes, but not the unix attributes.
> I'll keep searching. 


I'm wondering if you might be able to help.  The biggest remaining issue
with the read ACLs is that some attributes do not show up for normal
authenticated users.   

That is, if the attribute has a attributesecurityguid, it is returned,
but otherwise it isn't. 

I'm still trying to get my head around ACLs on the directory, and how it
applies to the object tree and all that.  

If you have any time to look into this, or pass on some clues, I would
very much appreciate it. 


Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list