Read ACLs & Samba 4.0.1 Was: [Re: ACLs on Attributes that do not have attributeSecurityGUID]

Adam Tauno Williams awilliam at whitemice.org
Tue Jan 22 09:48:44 MST 2013


On Thu, 2013-01-03 at 08:56 +1100, Andrew Bartlett wrote:
> On Wed, 2013-01-02 at 21:34 +0100, Marc Muehlfeld wrote:
> > Am 02.01.2013 09:44, schrieb Andrew Bartlett:
> > > I'm maintaining this (and my summer collection of un-reviewed patches)
> > > in my acl-read-fixes branch.
> > I applied all 10 patches from your previous posting on my test environment. 
> > And now I get the unixHomeDirectory attribute, as non-domain-admin too:
> > # ldapsearch -h localhost -b "dc=MUC,dc=medizinische-genetik,dc=de" -D 
> > "CN=nslcd-connect,OU=BackendUsers,dc=MUC,dc=medizinische-genetik,dc=de" -W 
> > "(&(&(objectClass=user)(uidNumber=*))(sAMAccountName=muehlfeld))" | grep 
> > unixHomeDirectory
> > unixHomeDirectory: /home/muehlfeld
> Thanks.  The issue that we have now is that somehow (and I'm totally
> stumped as to how), the patch to correct the groups breaks our WRITE ACL
> tests.  That somehow implies that users now can write to more than they
> should, which is scary.
> I simply make this warning because I need to understand this more before
> I can recommend this for production use, because it seems very wrong. 
> Anyway, thanks for the testing, I do very much appreciate it. 

Rolling this fix into 4.0.1 was mentioned earlier in the thread.  I
assume from the above that the read-ACL fixes are *not* included in
4.0.1 [the expected behavior in 4.0.1 is the same as in 4.0.0]?

-- 
Adam Tauno Williams  GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA



More information about the samba-technical mailing list