ACLs and upgrades
Andrew Bartlett
abartlet at samba.org
Tue Mar 19 19:25:44 MDT 2013
On Tue, 2013-03-19 at 18:11 +0100, Marc Muehlfeld wrote:
> Hello Andrew,
>
> thank you for your detailed explanation.
>
>
> Am 18.03.2013 23:46, schrieb Andrew Bartlett:
> > So, where does this leave us? At this point the only option I can
> > sensibly consider is providing a tool to forcibly reset the well known
> > security descriptors (including removing your delegation on
> > cn=computers), but to add it to dbcheck, to run in that interactive
> > tool. That way, you can choose to keep your delegation (but have the
> > rest of the SD be incorrect), or accept the reset (and re-add any
> > delegation later).
>
> What are the steps/commands to reset the ACLs, when I want to upgrade
> from 4.0.1?
>
> Or do you recommend to stay at my version and wait until you have your
> 'samba-tool dbcheck --reset-well-known-acls' finished? If so, I can test
> the new option for you, of course.
>
> For me it isn't a big thing to re-add my delegations. I think I'll
> better have everything correct, instead of saving a bit of time for
> re-adding the delegations.
You can (and should) upgrade from 4.0.1, nothing prevents you from doing
that.
At some point (for 4.0.5 is my plan) we will have a tool to correct the
ACLs on existing installations, just as we do for new installations. We
have part of that in dbcheck already for a different part of the
problem, but correcting the incorrect defaults remains TODO.
I hope this clarifies things,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list