PATCHES: On enabling read ACLs on LDAP searches for 4.0

Stefan (metze) Metzmacher metze at
Sun Nov 25 15:39:28 MST 2012


I've some patches which fix several bugs:

Read ACL are not enabled by default on DS

ACL module: support the tree delete right

ACL are not recalculated if parent is changed and inherit is enabled

The branch is available here:;a=shortlog;h=refs/heads/master4-ad-acls

The only patch which lets take autobuild later (by about 20 mins)
is the last one:
s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for
replicated changes;a=commitdiff;h=ddd27d2b15a0b7e72abeeb4a259d83691d14abd6

I'll try to debug why it slows down make test tomorrow.

But the important thing is that
s4:dsdb/acl_read: enable acl checking on search by default;a=commitdiff;h=39b425ac31a4497c162ffb29ccc92dbca95def69
doesn't cause a slow down.

Please have a look at this important fixes, it would be good to get some
additional testing.

>> On Wed, Nov 21, 2012 at 8:44 AM, Andrew Bartlett <abartlet at> wrote:
>>> Metze,
>>> I'm delighted to see the work you have done recently, and incredibly
>>> pleased to see that we have the chance to protect the data in an AD
>>> server we are hosting with the read ACLs that the administrator
>>> specified.
>>> It is really important that, particularly in a situation where we join
>>> an existing domain, we can still protect that information as well as a
>>> Microsoft server would.  This eliminates unexpected surprises that some
>>> might describe as security holes, and puts into production work a great
>>> and impressive effort by Nadya.
>>> As such, I'm really exited by this, and I'm quite keen that our users
>>> get to have this in Samba 4.0, given the patches are available.
>>> That said, I'm also cautious - you would of course remember my caution
>>> around the DNS server change, and this is even more 'last moment' than
>>> that was.  There are really important issues to consider, such as if we
>>> break some of the harder to test features (eg, running a wintest to
>>> verify interactions with Windows), and if we are really delivering what
>>> we are promising.
>>> Some specific concerns:
>>>  - constraints for DB integrity (wouldn't want ACLs to somehow allow
>>> duplicate user creation because you can't see one!)
>>>  - while at the same time as avoiding information leaks such as might
>>> happen if a 'helper' search was substantially controlled by the caller
>>> was invoke 'AS_SYSTEM' as I understand you do
>>> My view at RC1 stage (when we first discussed if this blocker bug and
>>> discussed DNS) was that this would be a 'new feature' and it was too
>>> late to add it in, but now I'm not so certain, or so black-and-white.
>>> In short, this isn't 'just another feature'.
>>> The fact that we got this far without solving another serious ACL issue
>>> (for GPOs) has rattled my confidence a little, but I'm not sure that
>>> means we should leave this as a known issue for a whole release cycle.
>>> My gut feeling is to enable this, audit it carefully (both before and
>>> after the release), and allow users to turn if off if it causes issues.
>>> Adding an 'acl:search=false' would get users back to where we are now,
>>> and is an easily described fallback.  But doing this rests on our
>>> extensive automated tests (of which I'm very grateful), a similar
>>> battery of manual tests and a careful review of the code.
>>> Andrew Bartlett
>>> --
>>> Andrew Bartlett                      
>>> Authentication Developer, Samba Team 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list