s4:dsdb/acl_read: enable acl checking on search by default (bug #8620)

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/selftest/knownfail b/selftest/knownfail
index 953056e621e04652d40678aa9d53c972116b2285..e3341e959018ea4ad6be29eddd642d86f454ca60 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -133,7 +133,6 @@
 ^samba4.smb2.acls.*.generic
 ^samba4.smb2.acls.*.inheritflags
 ^samba4.smb2.acls.*.owner
-^samba4.ldap.acl.*.ntSecurityDescriptor.* # ACL extended checks on search not enabled by default
 ^samba4.ldap.dirsync.python.dc..__main__.ExtendedDirsyncTests.test_dirsync_deleted_items
 #^samba4.ldap.dirsync.python.dc..__main__.ExtendedDirsyncTests.*
 ^samba4.drs.fsmo.python
@@ -158,13 +157,6 @@
 ^samba4.smb2.oplock.stream1 # samba 4 oplocks are a mess
 ^samba4.smb2.getinfo.getinfo # streams on directories does not work
 ^samba4.ntvfs.cifs.krb5.base.createx_access.createx_access\(.*\)$
-^samba4.ldap.acl.*.AclSearchTests.test_search_anonymous3\(.*\)$  # ACL search behaviour not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search1\(.*\)$  # ACL search behaviour not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search2\(.*\)$  # ACL search behaviour not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search3\(.*\)$  # ACL search behaviour not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search4\(.*\)$  # ACL search behaviour not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search5\(.*\)$  # ACL search behaviour not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search6\(.*\)$  # ACL search behaviour not enabled by default
 ^samba4.rpc.lsa.forest.trust #Not fully provided by Samba4
 ^samba4.blackbox.kinit\(.*\).kinit with user password for expired password\(.*\) # We need to work out why this fails only during the pw change
 ^samba4.blackbox.dbcheck\(vampire_dc\).dbcheck\(vampire_dc:local\) # Due to replicating with --domain-critical-only we fail dbcheck on this database

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 20114c9541e38c4aa21b23dfa1309f4123f09f83..5988b8364253ae7c29cef143d20da8ad1f8063a7 100644 (file)
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -559,11 +559,8 @@ sub provision_raw_step1($$)
                warn("can't open $ctx->{smb_conf}$?");
                return undef;
        }
-       my $acl = "false";
-       $acl = "true" if (defined $ENV{WITH_ACL});
        print CONFFILE "
 [global]
-       acl:search = $acl
        netbios name = $ctx->{netbiosname}
        posix:eadb = $ctx->{statedir}/eadb.tdb
        workgroup = $ctx->{domain}

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index c7a40778b452e6043744be4f9ab4e1c48b7c239c..853fa20902e0cfd3f3ada6db091d9927b3802ae2 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -101,7 +101,7 @@ static int acl_module_init(struct ldb_module *module)
        }
 
        data->acl_search = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"),
-                                       NULL, "acl", "search", false);
+                                       NULL, "acl", "search", true);
        ldb_module_set_private(module, data);
 
        mem_ctx = talloc_new(module);

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 60b0d87d9523e299b6f066c3fce6b311c5735ab2..92744f28ba7701cade4eb0f1110ab5a6e433d1c3 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -397,7 +397,7 @@ static int aclread_init(struct ldb_module *module)
        if (p == NULL) {
                return ldb_module_oom(module);
        }
-       p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", false);
+       p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", true);
        ldb_module_set_private(module, p);
        return ldb_next_init(module);
 }