[PATCH] SYSVOL ACL fixes Re: [PATCH] Fix 'samba-tool ntacl sysvolcheck' failures and remove NT4 compat
Andrew Bartlett
abartlet at samba.org
Tue Nov 13 14:32:44 MST 2012
On Tue, 2012-11-13 at 12:17 -0800, Jeremy Allison wrote:
> On Tue, Nov 13, 2012 at 05:00:01PM +1100, Andrew Bartlett wrote:
> >
> > The ACL patches here, on master, appear to be the key changes required
> > to have GPOs work. At least, they work for me with a Windows 7 client
> > setting and applying GPOs. (The patches already posted are unchanged
> > from the previous mail).
> >
> > If I could please have *everyone* who is having trouble with sysvol ACLs
> > and is willing to run master try these patches. You will have to run
> > 'samba-tool ntacl sysvolreset' to get the correct ACLs.
> >
> > They are also in my gpo-acl-fix branch at
> > git://git.samba.org/abartlet/samba.git
> >
> > There are fixes for both the ntvfs and smbd file servers. The tests
> > included with them show that we now correctly store the GPO ACLs in both
> > cases.
> >
> > If we confirm this indeed fixes ACLs, then we have finally solved a
> > major blocker for the 4.0 release.
>
> I'm reviewing these for inclusion in master right now.
>
> However, they're still not broken up into micro-patches that
> make them easier to understand.
>
> For example, inside this fix:
>
> --------------------------------------------------------------
> commit fd4835fc720d6780c40e845c1fedfad9dbb2bfe9
> Author: Andrew Bartlett <abartlet at samba.org>
> Date: Mon Nov 12 16:45:09 2012 +1100
>
> smbd: Correctly set fsp->is_directory before dealing with ACLs
>
> Without this change, samba-tool ntacl sysvolreset and samba-tool ntacl
> sysvolcheck were unreliable
>
> This does a stat on a real fsp in set_nt_acl_no_snum and uses
> SMB_VFS_GET_NT_ACL() to ensure the called code knows if it is dealing
> with a file or a directory.
>
> Andrew Bartlett
> --------------------------------------------------------------
>
> There are at least three logically separate parts.
It's a fair cop, and I agree.
I'm not as convinced that the other patches break up so well, but I
guess you could remove the smb.conf parameter, and then the manpages for
"acl compatability" in distinct patches if that was your preference.
I'm certainly not wanting to be a pain here, so please let me know what
would help you best here. Are you still splitting them up, or would you
prefer me to just re-submit?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list