Only recalculate SDs on a DN we saw a difference on

Andrew Bartlett abartlet at samba.org
Mon Feb 18 03:33:07 MST 2013


This patch series drastically limits when we call the SD modification
(recalculation from scratch).  We now only do it on a --full, and we now
only do it on an SD that we have seen a difference on during our
comparison with a fresh provision.

This does mean that we loose the ability to recalculate the SD on a new
DN.  However, that would only be needed if our defaultSecurityDescriptor
was wrong, and these have been OK for quite some time now. 

I've made these changes to try and make the behaviour of this tool much
more restricted, and much more predictable.  Also, this updates us to a
Samba where inherited ACLs are handled at runtime by the descriptor
module, and so we don't need to rewrite every ACL to make these take
hold.

As always, these are part of my upgradeprovision branch. 

I include metze's attempt at restricting modification of SDs that have
been modified after a provision.  It includes the TODO marker while we
validate this area, which isn't currently tested. 

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-samba_upgradeprovision-Remove-unused-checkKeepAttrib.patch
Type: text/x-patch
Size: 5789 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130218/ed653722/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-samba_upgradeprovision-Remove-alwaysRecalculate-this.patch
Type: text/x-patch
Size: 1521 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130218/ed653722/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-TODO-samba_upgradeprovision-do-not-overwrite-changed.patch
Type: text/x-patch
Size: 1402 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130218/ed653722/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-samba_upgradeprovision-only-run-rebuild_sd-in-full-m.patch
Type: text/x-patch
Size: 3670 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130218/ed653722/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-samba_upgradeprovision-do-not-maintain-dnNotToRecalc.patch
Type: text/x-patch
Size: 2888 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130218/ed653722/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-samba_upgradeprovision-Do-not-reset-every-DN-when-ch.patch
Type: text/x-patch
Size: 3899 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130218/ed653722/attachment-0005.bin>


More information about the samba-technical mailing list