On enabling read ACLs on LDAP searches for 4.0

Matthieu Patou mat at samba.org
Wed Nov 21 02:21:12 MST 2012

On 11/20/2012 10:44 PM, Andrew Bartlett wrote:
> Metze,
> I'm delighted to see the work you have done recently, and incredibly
> pleased to see that we have the chance to protect the data in an AD
> server we are hosting with the read ACLs that the administrator
> specified.
As I said on IRC: kudos++ great job for tackling this issue
> As such, I'm really exited by this, and I'm quite keen that our users
> get to have this in Samba 4.0, given the patches are available.
> That said, I'm also cautious - you would of course remember my caution
> around the DNS server change, and this is even more 'last moment' than
> that was.  There are really important issues to consider, such as if we
> break some of the harder to test features (eg, running a wintest to
> verify interactions with Windows), and if we are really delivering what
> we are promising.
> Some specific concerns:
>   - constraints for DB integrity (wouldn't want ACLs to somehow allow
> duplicate user creation because you can't see one!)
We have to double check on this ACLs are a bit after the middle of the 
stack so in theory checks that are before (that is to say upper in the 
stack) will see results filtered by readacl.
And maybe move module up in order to simplify the things.

> My gut feeling is to enable this, audit it carefully (both before and
> after the release), and allow users to turn if off if it causes issues.
> Adding an 'acl:search=false' would get users back to where we are now,
> and is an easily described fallback.  But doing this rests on our
> extensive automated tests (of which I'm very grateful), a similar
> battery of manual tests and a careful review of the code.
Let's see how it goes, if it turns to be a remake of GPO file acls and 
s3fs we can decide to switch it off by default.


Matthieu Patou
Samba Team

More information about the samba-technical mailing list