From 990448b4997d1a2423e5dd4da1e37ad51f99bf3a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sun, 18 Nov 2012 18:57:03 +0100
Subject: [PATCH] s4:dsdb/acl_read: enable acl checking on search by default
 (bug #8620)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 selftest/knownfail                        | 8 --------
 selftest/target/Samba4.pm                 | 3 ---
 source4/dsdb/samdb/ldb_modules/acl.c      | 2 +-
 source4/dsdb/samdb/ldb_modules/acl_read.c | 2 +-
 4 files changed, 2 insertions(+), 13 deletions(-)

diff --git a/selftest/knownfail b/selftest/knownfail
index 953056e621e..e3341e95901 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -133,7 +133,6 @@
 ^samba4.smb2.acls.*.generic
 ^samba4.smb2.acls.*.inheritflags
 ^samba4.smb2.acls.*.owner
-^samba4.ldap.acl.*.ntSecurityDescriptor.* # ACL extended checks on search not enabled by default
 ^samba4.ldap.dirsync.python.dc..__main__.ExtendedDirsyncTests.test_dirsync_deleted_items
 #^samba4.ldap.dirsync.python.dc..__main__.ExtendedDirsyncTests.*
 ^samba4.drs.fsmo.python
@@ -158,13 +157,6 @@
 ^samba4.smb2.oplock.stream1 # samba 4 oplocks are a mess
 ^samba4.smb2.getinfo.getinfo # streams on directories does not work
 ^samba4.ntvfs.cifs.krb5.base.createx_access.createx_access\(.*\)$
-^samba4.ldap.acl.*.AclSearchTests.test_search_anonymous3\(.*\)$  # ACL search behaviour not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search1\(.*\)$  # ACL search behaviour not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search2\(.*\)$  # ACL search behaviour not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search3\(.*\)$  # ACL search behaviour not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search4\(.*\)$  # ACL search behaviour not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search5\(.*\)$  # ACL search behaviour not enabled by default
-^samba4.ldap.acl.*.AclSearchTests.test_search6\(.*\)$  # ACL search behaviour not enabled by default
 ^samba4.rpc.lsa.forest.trust #Not fully provided by Samba4
 ^samba4.blackbox.kinit\(.*\).kinit with user password for expired password\(.*\) # We need to work out why this fails only during the pw change
 ^samba4.blackbox.dbcheck\(vampire_dc\).dbcheck\(vampire_dc:local\) # Due to replicating with --domain-critical-only we fail dbcheck on this database
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 20114c9541e..5988b836425 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -559,11 +559,8 @@ sub provision_raw_step1($$)
 		warn("can't open $ctx->{smb_conf}$?");
 		return undef;
 	}
-	my $acl = "false";
-	$acl = "true" if (defined $ENV{WITH_ACL});
 	print CONFFILE "
 [global]
-	acl:search = $acl
 	netbios name = $ctx->{netbiosname}
 	posix:eadb = $ctx->{statedir}/eadb.tdb
 	workgroup = $ctx->{domain}
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 50af3b2ed41..2cc028f5923 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -101,7 +101,7 @@ static int acl_module_init(struct ldb_module *module)
 	}
 
 	data->acl_search = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"),
-					NULL, "acl", "search", false);
+					NULL, "acl", "search", true);
 	ldb_module_set_private(module, data);
 
 	mem_ctx = talloc_new(module);
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 60b0d87d952..92744f28ba7 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -397,7 +397,7 @@ static int aclread_init(struct ldb_module *module)
 	if (p == NULL) {
 		return ldb_module_oom(module);
 	}
-	p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", false);
+	p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", true);
 	ldb_module_set_private(module, p);
 	return ldb_next_init(module);
 }
-- 
2.11.4.GIT