merge request 187 on GitLab

Martin Krämer mk.maddin at gmail.com
Fri Jan 18 17:02:24 UTC 2019


Hi all,

thanks for the feedback.


*> Most of the Samba Team members still look for new patches> as
attachments on the samba-technical mailing list. *
Ok - so sending a short information to mailing list still makes sense.
I just do not want to stress people for no reason to merge requests which
are not urgent. :)

> 1). Are you OK with me adding a 'Signed-off-by: Martin Krämer <
mk.maddin at gmail.com>
> line to the patch ?
Yes just add it - I will take care of it in future.

> 2). If you're going to work on Samba some more, it'd
> we worthwhile to send in the contributors agreement
> as outlined here:  https://www.samba.org/samba/devel/copyright-policy.html
Well I am open to contribute as far as possible.
(Please note that I am no developer - I am mainly sysadmin with some
"scripting experience" which enabled me to simply troubleshoot & extend the
py part of samba-tool)
In general willing to sent the copyright information like described in
link, but based on the link information this is mainly for "sign your work
on behalf of your employer".
I would like to add that I am not doing this on behalf of my employer. I am
doing this as a private person in my free time.

--- At this point thanks for support in the organizational part - I will
continue with some technical staff of this patch now ---

Like I described in the "Discussion" activity within GitLab there is still
one related, not handled situation possible with the current code.
Using the "--sddl" parameter of "samba-tool dsacl" it is possible to add
the same ace using SIDs.
E.g. "OA;CIIO;RPWP;3e978925-8c01-11d0-afda-00c04fd930c9;bf967a86-0de6-11d0-a285-00aa003049e2;
*PS*" and ace
"OA;CIIO;RPWP;3e978925-8c01-11d0-afda-00c04fd930c9;bf967a86-0de6-11d0-a285-00aa003049e2;
*S-1-5-10*" both result in the same ace
"OA;CIIO;RPWP;3e978925-8c01-11d0-afda-00c04fd930c9;bf967a86-0de6-11d0-a285-00aa003049e2;
*PS*" permitting SECURITY_PRINCIPAL_SELF_RID.
Since samba internal all security identifiers seem to be translated into
SDDL SID strings if possible, you can add the same permission using SIDs
over and over again.


The only solution I can think of today is including a hard coded mapping
table of SDDL SID strings to Well-known SIDs and then checking the provided
sddl parameter agains each entry.
Never the less I am pretty sure there is a function which can translate a
given SID to a SDDL SID string already.
Maybe some hint where I can find this in samba? - Then I could prepare a
patch for this, too.

The following two links are a short overview of the well-known-sids &
sid-strings affected.
https://docs.microsoft.com/en-us/windows/desktop/secauthz/sid-strings
https://docs.microsoft.com/en-us/windows/desktop/secauthz/well-known-sids

Thanks for input.




Am Do., 17. Jan. 2019 um 20:01 Uhr schrieb Jeremy Allison <jra at samba.org>:

> On Thu, Jan 17, 2019 at 09:54:46AM -0800, Jeremy Allison via
> samba-technical wrote:
> > On Thu, Jan 17, 2019 at 03:57:26PM +0100, Martin Krämer via
> samba-technical wrote:
> > > Hi all,
> > >
> > > some days ago I have created a merge request for a samba-tool patch on
> > > GitLab.
> > > I created this based on instructions from:
> > > https://wiki.samba.org/index.php/Samba_CI_on_gitlab
> > > and
> > > https://wiki.samba.org/index.php/Using_Git_for_Samba_Development
> > >
> > > Never the less this is my first contribution to samba and my first work
> > > with GitLab - I am not sure if I have done everything correct or if
> there
> > > are further actions required by me to be merged.
> > >
> > > The merge request is:
> > > https://gitlab.com/samba-team/samba/merge_requests/187
> > >
> > > Thanks for instructions
> >
> > Most of the Samba Team members still look for new patches
> > as attachments on the samba-technical mailing list. It's
> > always good to send them there as well as on gitlab (which
> > we use mostly for CI work, not merging).
> >
> > Having said that your patch looks good to me !
> >
> > https://gitlab.com/samba-team/samba/merge_requests/187.patch
> >
> > Reviewed-by: Jeremy Allison <jra at samba.org>
> >
> > Can I get a second Team reviewer ?
> >
> > Thanks a *lot* for helping us with Samba !
>
> A couple of quick things.
>
> 1). Are you OK with me adding a 'Signed-off-by: Martin Krämer <
> mk.maddin at gmail.com>
> line to the patch ? We require that to keep the provenence of
> all patch submissions (and it's really helpful when generating
> patches so I don't have to keep asking :-). You can do it
> from git by adding the -s option when you commit the patch
> to your repo.
>
> 2). If you're going to work on Samba some more, it'd
> we worthwhile to send in the contributors agreement
> as outlined here:
>
> https://www.samba.org/samba/devel/copyright-policy.html
>
> Thanks !
>
> Jeremy.
>


More information about the samba-technical mailing list