From fd44285d756de87280260c38d3f82c3b7961997d Mon Sep 17 00:00:00 2001
From: awalker <awalker@ixsystems.com>
Date: Fri, 13 Jul 2018 13:36:31 -0400
Subject: [PATCH] Set dacl_protected if no entries in ACL are inherited.

Signed-off-by: awalker <awalker@ixsystems.com>
---
 source3/modules/vfs_zfsacl.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c
index 43e41f9..08894af 100644
--- a/source3/modules/vfs_zfsacl.c
+++ b/source3/modules/vfs_zfsacl.c
@@ -51,6 +51,7 @@ static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn,
 	SMB_STRUCT_STAT sbuf;
 	const SMB_STRUCT_STAT *psbuf = NULL;
 	int ret;
+	bool inherited_is_present;
 	bool is_dir;
 
 	if (VALID_STAT(smb_fname->st)) {
@@ -117,6 +118,11 @@ static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn,
 			aceprop.aceMask |= SMB_ACE4_DELETE_CHILD;
 		}
 
+#ifdef ACE_INHERITED_ACE
+ 		if(aceprop.aceFlags & ACE_INHERITED_ACE) {
+ 			inherited_is_present = true;
+ 		}
+#endif
 		if(aceprop.aceFlags & ACE_OWNER) {
 			aceprop.flags = SMB_ACE4_ID_SPECIAL;
 			aceprop.who.special_id = SMB_ACE4_WHO_OWNER;
@@ -133,6 +139,13 @@ static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn,
 			return NT_STATUS_NO_MEMORY;
 	}
 
+#ifdef ACE_INHERITED_ACE
+ 	if (!inherited_is_present 
+	    && lp_parm_bool(conn->params->service, "zfsacl", "map_dacl_protected", False)){
+		DBG_DEBUG("setting dacl_protected flag on %s \n", smb_fname->base_name);
+		smbacl4_set_controlflags(pacl, SEC_DESC_DACL_PROTECTED|SEC_DESC_SELF_RELATIVE);
+	}
+#endif
 	*ppacl = pacl;
 	return NT_STATUS_OK;
 }
-- 
1.8.3.1