[PATCH] Fix 'samba-tool ntacl sysvolcheck' failures and remove NT4 compat

Andrew Bartlett abartlet at samba.org
Mon Nov 12 15:57:16 MST 2012


On Mon, 2012-11-12 at 23:51 +0100, Jelmer Vernooij wrote:
> On Tue, Nov 13, 2012 at 09:26:19AM +1100, Andrew Bartlett wrote:
> > On Mon, 2012-11-12 at 17:19 +1100, Andrew Bartlett wrote:
> > > This patch should fix the issues where an ACL set on sysvol by
> > > samba-tool ntacl sysvolreset cannot be read back, and so sysvolcheck
> > > fails.
> > > 
> > > The root cause here appears to be not setting fsp->is_directory
> > > correctly.
> > > 
> > > This patch unifies the get and set code by simply using the same
> > > boilerplate, however another approach would be to call
> > > SMB_VFS_GET_NT_ACL() instead, which only needs a file path.  
> > > 
> > > I'm posting this so as to mark the fact that I've reproduced and fixed
> > > one small part of this SYSVOL issue locally, and am continuing to work
> > > on it.
> > > 
> > > I have a second patch here, which I feel makes this code more robust -
> > > it removes the NT4 compatibility layer in the posix ACL code.  This will
> > > mean that the ACL written by 'samba-tool ntacl sysvolreset' is read by a
> > > windows client.  Currently samba-tool appears as RA_UNKNOWN, and so gets
> > > NT4 compatible ACLs, which can break the hash when a windows client
> > > accesses the server.
> > > 
> > > I need to test more to prove this is strictly required, but I do feel it
> > > is a worthwhile change in any case, given how long dead NT4 clients
> > > changing ACLs with the windows GUI are.
> > 
> > Jelmer,
> > 
> > Attached are the patches I'm currently working on, for review.  Please
> > ack the ones you are comfortable with (perhaps just the test patches). 
> > 
> > At https://bugzilla.samba.org/show_bug.cgi?id=9383#c1 has already
> > indicated he is happy to be rid of the "acl compatibility" code.
> 
> ACK on the first two. Are you sure that test won't start flapping
> again?

I wish I could be certain, but a large (7) number of autobuild runs
didn't show a flapping test, and metze had it flapping at a 50% rate.  

My theory is the the xattr.tdb changes in posixacl.py helped.

> I'm not familiar enough with the code to review the other two patches
> at the moment. Perhaps somebody else can, or I can when I get a spare
> moment later this week.

Jeremy is the person for this.

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list