DSDB-ACL work

Andrew Bartlett abartlet at samba.org
Sun Jan 20 15:30:01 MST 2013 

On Fri, 2013-01-18 at 10:00 +0100, Stefan (metze) Metzmacher wrote:
> Am 18.01.2013 08:17, schrieb Andrew Bartlett:
> > On Fri, 2013-01-18 at 12:52 +1100, Andrew Bartlett wrote:
> >> On Thu, 2013-01-17 at 16:32 +0100, Stefan (metze) Metzmacher wrote:
> >>> Hi Andrew,
> >>>
> >>> can you have a look at my progress the work to correct the dsdb acl
> >>> handling,
> >>> it's based on your patches, but reworked in some details to make then
> >>> easier to
> >>> understand.
> >>>
> >>> https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master-ready
> >>>
> >>> I use acl_check_access_on_attribute() in a few more places and introduced
> >>> a acl_check_access_on_objectclass() function.
> >>>
> >>> I haven't done much testing with it yet, but I expect it to work as
> >>> desired now.
> >>
> >> Thank you so much for working on that.  I've read over them, and it
> >> seems reasonable, but I need to do more of a review.
> >>
> >> What is missing is a test for the read ACL stuff, that starts to work
> >> after the pre-windows 2000 compatible access patch goes in.
> >>
> >> I also need to run a wintest (given it did so well as finding ACL bugs
> >> in the past).  I'll start that now, hopefully it is in a good mood :-)
> > 
> > I've run wintest, and a Windows 2003 domain join fails.  I'll send you
> > the network trace by private mail, but essentially a SetUserInfo now
> > fails with NT_STATUS_UNSUCCESSFUL, when it doesn't with master.
> 
> Ok, make test also showed that.
> 
> The problem was the missing exception for "clearTextPassword" in
> https://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=c7e635413f6c963106
> 
> I've update the master-ready branch.

I've pushed these back to 
https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/metze-master-ready with review markers.

I've included everything except the attached, which just needs it's
commit message fixed up.  I think your idea was to remove
dom_sid_parse_talloc(), so as to avoid allocating and freeing what can
just be put on the stack.  Consider this reviewed also if that's the
case (and it isn't some reversed patch mistake). 

Thank you very much for all your hard work on this!

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-libcli-security-use-dom_sid_parse_talloc-in-sec_acce.patch
Type: text/x-patch
Size: 2736 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130121/ad6f0d6c/attachment.bin>

More information about the samba-technical mailing list