DSDB-ACL work

Andrew Bartlett abartlet at samba.org
Fri Jan 18 00:17:15 MST 2013


On Fri, 2013-01-18 at 12:52 +1100, Andrew Bartlett wrote:
> On Thu, 2013-01-17 at 16:32 +0100, Stefan (metze) Metzmacher wrote:
> > Hi Andrew,
> > 
> > can you have a look at my progress the work to correct the dsdb acl
> > handling,
> > it's based on your patches, but reworked in some details to make then
> > easier to
> > understand.
> > 
> > https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master-ready
> > 
> > I use acl_check_access_on_attribute() in a few more places and introduced
> > a acl_check_access_on_objectclass() function.
> > 
> > I haven't done much testing with it yet, but I expect it to work as
> > desired now.
> 
> Thank you so much for working on that.  I've read over them, and it
> seems reasonable, but I need to do more of a review.
> 
> What is missing is a test for the read ACL stuff, that starts to work
> after the pre-windows 2000 compatible access patch goes in.
> 
> I also need to run a wintest (given it did so well as finding ACL bugs
> in the past).  I'll start that now, hopefully it is in a good mood :-)

I've run wintest, and a Windows 2003 domain join fails.  I'll send you
the network trace by private mail, but essentially a SetUserInfo now
fails with NT_STATUS_UNSUCCESSFUL, when it doesn't with master.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list