selftest: re-enable nss_winbind via nss_wrapper in the test-envs.

Michael Adam obnox at samba.org
Tue Feb 17 13:17:19 MST 2015


On 2015-02-18 at 07:27 +1300, Andrew Bartlett wrote:
> On Tue, 2015-02-17 at 18:32 +0100, Michael Adam wrote:
> > On 2015-02-17 at 18:27 +0100, Michael Adam wrote:
> > > On 2015-02-17 at 18:09 +0100, Stefan (metze) Metzmacher wrote:
> > > > Hi Michael,
> > > > 
> > > > > diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
> > > > > index 1603321..3e2397d 100644
> > > > > --- a/python/samba/provision/__init__.py
> > > > > +++ b/python/samba/provision/__init__.py
> > > > > @@ -1476,8 +1476,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
> > > > >          return samdb
> > > > >  
> > > > >  
> > > > > -SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
> > > > > -POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
> > > > > +SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001200a9;;;LA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
> > > > > +POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001200a9;;;LA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
> > > > >  SYSVOL_SERVICE="sysvol"
> > > > 
> > > > Aren't these the hardcoded values windows clients expect to be there?
> > > 
> > > Could be. That is why I was asking for experts (like you) to
> > > comment! :-)
> > > 
> > > > I guess changing them, just to let our test pass is wrong.
> > > 
> > > Ok. Does that mean the ACE values for the owner are completely
> > > random? And the previous patch that does not adapt the NT ACL
> > > but simply adapte the posix checks to the values that let
> > > the test pass is better/correct?
> > 
> > More concretely, the attached patch..
> 
> This is much more like what I expected the fix to be (changing NSS
> mappings might change some aspect of the stored posix ACL), but why does
> the permission change from 6 to 7 (adding execute?)

I don't really have a clue. I had hoped someone here has. :)
The only idea I have is that the domain admin now having an
nss entity with the same UID Number as the calling user (root),
this might be related to the domain admin being member of the
builtin administrators group which gets full access by the acls.
Not sure what the acl mapping code really does here.
I'd need to find some time to dive through it.

Since the environment is *now* as it should be (with
libnss_winbindd active), I think we can as well push
the patch for a start.

But it still leaves me with a strange feeling:

- Why does provision give root's uid to the domain admin?
  This seems to be a bug/bad thing to do.

- Why does the sysvol ACL not specify ACEs for the owner/
  for the domain admin. It seems to be slightly strange
  for the test to check the resulting acl for specific
  entries for this entity since this seems to be random
  to some extent, since apparently external influcences
  come into play here?! ...

Cheers - Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150217/1b26b962/attachment.pgp>


More information about the samba-technical mailing list