[Samba] sysvolreset optimization

[Garming Sam]

On 28/06/19 10:13 AM, Simon Fonteneau wrote:
> Hi garming
>
> We managed to put our system in place at the Ministry of Culture and
> it works well. I still have not taken the time to propose a patch (I
> have to spend time with Denis). I propose instead to provide as
> argument a list of files to exclude with an option "--exclude" to
> exclude some files from the netlogon not to reset. What do you think?

That's fine. It seems sensible enough, there's other things we could do
but I would be happy with just that too.

>
> I could also add a "--force" option but is it really necessary?
> getntacl function is unreliable?

It's not so much that it's unreliable, but that it's more to ensure that
security descriptor inheritance worked correctly. If a container higher
up indicates it propagated it correctly, but the code never actually
triggered we may still end up with an incorrect sysvol. I don't know how
likely this is to happen, but these are the kinds of errors sysvolreset
is meant to fix. By changing the behaviour, I don't want to lose the old
behaviour in case it had to be relied upon. In general though, I don't
see any reason why your behaviour shouldn't clearly be default.

Cheers,

Garming


>
> Simon
>
>
> Le 27/06/2019 à 05:06, Garming Sam a écrit :
>> Hi Simon,
>>
>> I was wondering where you were at with this change. The idea is good,
>> but to upstream, I think we need to make sure it's still possible to
>> perform the original behaviour with an option like, --force. The other
>> possible change to sysvolreset I think was suggested was to take a
>> subdirectory argument and to only recurse from there. That could be
>> separate though.
>>
>> Normally, developer discussion like this appears on the samba-technical
>> mailing list (which I've now cc'd), but lots of it has also moved to
>> Gitlab merge requests. I should have just added you to the CI repo, so
>> you can run the tests that way (and maybe create a pull request).
>>
>> https://wiki.samba.org/index.php/Samba_CI_on_gitlab
>>
>> If you have any other questions, just ask.
>>
>> Cheers,
>>
>> Garming
>>
>> On 24/05/19 9:25 PM, Simon FONTENEAU via samba wrote:
>>> Hello
>>>
>>> I'm trying to improve the performance of "samba-tool ntacl
>>> sysvolreset" on samba.
>>> Indeed I have a lot of gpo and over 10 000 files in the sysvol.
>>>
>>> After some diagnosis I found why the "samba-tool ntacl sysvolreset" is
>>> slow.
>>> The problem is in samba/ntacls.py in the setntacl function, the call
>>> to smbd.set_nt_ac is too slow.
>>>
>>> I would like to make sure that in the setntacl function, the call to
>>> smbd.set_nt_acl is done only if rights need to be reset, so to save
>>> time.
>>>
>>> I would like to do something like this at the end of the function:
>>>
>>> if getntacl (lp, file, None, None, direct_db_access = False, service =
>>> None) .as_sddl(sid) == sd.as_sddl(sid):
>>>      return
>>>
>>>
>>> But I can not get getntacl to work correctly in the ntacls.py file
>>>
>>> Do you think my suggested method could work ?
>>>
>>> Simon
>>>
>>>