[PATCH] Use conn->session_info->security_token in posix_acls.c to make sysvolreset faster (was: Re: [PATCH] improve performance for samba-tool ntacl sysvolreset)
uri at samba.org
Tue Jul 10 09:03:36 UTC 2018
On 07/10/2018 11:00 AM, Rowland Penny via samba-technical wrote:
> On Tue, 10 Jul 2018 19:38:53 +1200
> Andrew Bartlett via samba-technical <samba-technical at lists.samba.org>
>> On Tue, 2018-07-10 at 08:43 +0300, Uri Simchoni via samba-technical
>>> On 07/10/2018 08:10 AM, Andrew Bartlett wrote:
>>>> On Tue, 2018-07-10 at 07:49 +0300, Uri Simchoni wrote:
>>>>> Beside that I'm curious - it seems like the function we're
>>>>> optimizing (uid_entry_in_group()) gets called in one of the
>>>>> following case: 1. If the SD somehow doesn't translate into a
>>>>> POSIX ACL with a USER_OBJ 2. To emulate deny ACE
>>>> Something like that. I understand it is to fold any group
>>>> permissions into the user permission because of the mismatch
>>>> between NT and POSIX semantics.
>>>>> Which one of the two gets called in the sysvolreset? (and if
>>>>> it's 1., why do we get an ACL without a USER_OBJ when we do a
>>>>> "reset" operation which should bring things to the detault
>>>> It gets called a lot, I find this code very difficult to follow
>>>> but seems to be needed for every group even if it isn't a DENY or
>>> OK I've dug a little deeper and can see that the ACL we're setting
>>> "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)" ,
>>> which means that the owner (LA - basically an alias) doesn't have a
>>> direct ACE. Being an alias, perhaps we should simply add a rule
>>> that if the ACL has a BA ace (BUILTIN\Administrators), then we can
>>> use it for an LA owner and construct the USER_OBJ ACE from that.
>> I really don't want to touch that code. It gives me the shivers.
>> Andrew Bartlett
> So it should, firstly because it uses the wrong ACL.
> Microsoft uses:
> Note the addition of 'CREATOR OWNER'
And what's the owner? LA or BA? (or something else)
The whole thing started because the owner doesn't appear in the ACL.
"CREATOR OWNWER" is a template for new files, AFAIK it never by itself
More information about the samba-technical