[PATCH] Use conn->session_info->security_token in posix_acls.c to make sysvolreset faster (was: Re: [PATCH] improve performance for samba-tool ntacl sysvolreset)

Rowland Penny rpenny at samba.org
Tue Jul 10 09:18:01 UTC 2018


On Tue, 10 Jul 2018 12:03:36 +0300
Uri Simchoni <uri at samba.org> wrote:

> On 07/10/2018 11:00 AM, Rowland Penny via samba-technical wrote:
> > On Tue, 10 Jul 2018 19:38:53 +1200
> > Andrew Bartlett via samba-technical
> > <samba-technical at lists.samba.org> wrote:
> > 
> >> On Tue, 2018-07-10 at 08:43 +0300, Uri Simchoni via samba-technical
> >> wrote:
> >>> On 07/10/2018 08:10 AM, Andrew Bartlett wrote:
> >>>> On Tue, 2018-07-10 at 07:49 +0300, Uri Simchoni wrote:
> >>>>> Hi,
> >>>
> >>> <snip>
> >>>>
> >>>>> Beside that I'm curious - it seems like the function we're
> >>>>> optimizing (uid_entry_in_group()) gets called in one of the
> >>>>> following case: 1. If the SD somehow doesn't translate into a
> >>>>> POSIX ACL with a USER_OBJ 2. To emulate deny ACE
> >>>>
> >>>> Something like that.  I understand it is to fold any group
> >>>> permissions into the user permission because of the mismatch
> >>>> between NT and POSIX semantics. 
> >>>>
> >>>>> Which one of the two gets called in the sysvolreset? (and if
> >>>>> it's 1., why do we get an ACL without a USER_OBJ when we do a
> >>>>> "reset" operation which should bring things to the detault
> >>>>> state)
> >>>>
> >>>> It gets called a lot, I find this code very difficult to follow
> >>>> but seems to be needed for every group even if it isn't a DENY or
> >>>> such.
> >>>>
> >>>
> >>> OK I've dug a little deeper and can see that the ACL we're setting
> >>> is
> >>> "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)" ,
> >>> which means that the owner (LA - basically an alias) doesn't have
> >>> a direct ACE. Being an alias, perhaps we should simply add a rule
> >>> that if the ACL has a BA ace (BUILTIN\Administrators), then we can
> >>> use it for an LA owner and construct the USER_OBJ ACE from that.
> >>
> >> I really don't want to touch that code.   It gives me the shivers. 
> >>
> >> Sorry,
> >>
> >> Andrew Bartlett
> > 
> > So it should, firstly because it uses the wrong ACL.
> > 
> > Microsoft uses:
> > 
> > 'D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)'
> > 
> > Note the addition of 'CREATOR OWNER'
> > 
> > Rowland
> > 
> 
> And what's the owner? LA or BA? (or something else)
> The whole thing started because the owner doesn't appear in the ACL.
> "CREATOR OWNWER" is a template for new files, AFAIK it never by itself
> affect access.
> 
> Uri

I do not think that Microsoft cares who owns it (or what the group is,
come to that).
I extensively searched the internet to try and find what the default
sysvol permissions are and I couldn't find the any default owner/group,
not even on a Microsoft webpage ;-)

If it matters, a 2012R2 DC sets 'sysvol' to: O:BAG:SYD:PAI

Rowland



More information about the samba-technical mailing list