[PATCH] Use conn->session_info->security_token in posix_acls.c to make sysvolreset faster (was: Re: [PATCH] improve performance for samba-tool ntacl sysvolreset)

[Andrew Bartlett]

On Tue, 2018-07-10 at 08:43 +0300, Uri Simchoni via samba-technical
wrote:
> On 07/10/2018 08:10 AM, Andrew Bartlett wrote:
> > On Tue, 2018-07-10 at 07:49 +0300, Uri Simchoni wrote:
> > > Hi,
> 
> <snip>
> > 
> > > Beside that I'm curious - it seems like the function we're optimizing
> > > (uid_entry_in_group()) gets called in one of the following case:
> > > 1. If the SD somehow doesn't translate into a POSIX ACL with a USER_OBJ
> > > 2. To emulate deny ACE
> > 
> > Something like that.  I understand it is to fold any group permissions
> > into the user permission because of the mismatch between NT and POSIX
> > semantics. 
> > 
> > > Which one of the two gets called in the sysvolreset? (and if it's 1.,
> > > why do we get an ACL without a USER_OBJ when we do a "reset" operation
> > > which should bring things to the detault state)
> > 
> > It gets called a lot, I find this code very difficult to follow but
> > seems to be needed for every group even if it isn't a DENY or such.
> > 
> 
> OK I've dug a little deeper and can see that the ACL we're setting is
> "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
> , which means that the owner (LA - basically an alias) doesn't have a
> direct ACE. Being an alias, perhaps we should simply add a rule that if
> the ACL has a BA ace (BUILTIN\Administrators), then we can use it for an
> LA owner and construct the USER_OBJ ACE from that.

I really don't want to touch that code.   It gives me the shivers. 

Sorry,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba