From ace4ea8df0ae242233d31f87bcb1aec310d903af Mon Sep 17 00:00:00 2001 From: Christian Ambach Date: Tue, 25 Sep 2012 01:34:04 +0200 Subject: [PATCH 1/3] s3:nfs4acls pass down fsp instead of just the filename --- source3/modules/nfs4_acls.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index ac56bfb..cc3480c 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -574,7 +574,7 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special( static bool smbacl4_fill_ace4( TALLOC_CTX *mem_ctx, - const char *filename, + const files_struct *fsp, smbacl4_vfs_params *params, uid_t ownerUID, gid_t ownerGID, @@ -582,6 +582,7 @@ static bool smbacl4_fill_ace4( SMB_ACE4PROP_T *ace_v4 /* output */ ) { + const char *filename = fsp->fsp_name->base_name; DEBUG(10, ("got ace for %s\n", sid_string_dbg(&ace_nt->trustee))); memset(ace_v4, 0, sizeof(SMB_ACE4PROP_T)); @@ -673,7 +674,7 @@ static int smbacl4_MergeIgnoreReject( } static SMB4ACL_T *smbacl4_win2nfs4( - const char *filename, + const files_struct *fsp, const struct security_acl *dacl, smbacl4_vfs_params *pparams, uid_t ownerUID, @@ -683,6 +684,7 @@ static SMB4ACL_T *smbacl4_win2nfs4( SMB4ACL_T *theacl; uint32 i; TALLOC_CTX *mem_ctx = talloc_tos(); + const char *filename = fsp->fsp_name->base_name; DEBUG(10, ("smbacl4_win2nfs4 invoked\n")); @@ -694,7 +696,7 @@ static SMB4ACL_T *smbacl4_win2nfs4( SMB_ACE4PROP_T ace_v4; bool addNewACE = True; - if (!smbacl4_fill_ace4(mem_ctx, filename, pparams, + if (!smbacl4_fill_ace4(mem_ctx, fsp, pparams, ownerUID, ownerGID, dacl->aces + i, &ace_v4)) { DEBUG(3, ("Could not fill ace for file %s, SID %s\n", @@ -791,7 +793,7 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, return NT_STATUS_OK; } - theacl = smbacl4_win2nfs4(fsp->fsp_name->base_name, psd->dacl, ¶ms, + theacl = smbacl4_win2nfs4(fsp, psd->dacl, ¶ms, sbuf.st_ex_uid, sbuf.st_ex_gid); if (!theacl) return map_nt_error_from_unix(errno); -- 1.7.11.4 From 804cbb885b4debebcf2a2c0e07c0fde22828b5ea Mon Sep 17 00:00:00 2001 From: Christian Ambach Date: Tue, 25 Sep 2012 03:25:36 +0200 Subject: [PATCH 2/3] s3:nfs4acls filter away inheritance flags on files While it is possible to define inheritance flags on files on Windows, this will be denied by GPFS and UFS (and potentially others). So it will be better to strip of these bits when being set for files instead of failing to set the ACL completely (this is current behavior). Users that want to retain the full SD will have to use acl_xattr (acl_tdb), as other pieces of the SD are also lost when translating to NFSv4. So this should not be a too intrusive change, but allow users to migrate data with such flags instead of failing to migrate the ACL completely. --- source3/modules/nfs4_acls.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index cc3480c..b4fd514 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -592,6 +592,17 @@ static bool smbacl4_fill_ace4( ace_v4->aceFlags = map_windows_ace_flags_to_nfs4_ace_flags( ace_nt->flags); + + /* remove inheritance flags on files */ + if (VALID_STAT(fsp->fsp_name->st) && + !S_ISDIR(fsp->fsp_name->st.st_ex_mode)) { + DEBUG(10, ("Removing inheritance flags from a file\n")); + ace_v4->aceFlags &= ~(SMB_ACE4_FILE_INHERIT_ACE| + SMB_ACE4_DIRECTORY_INHERIT_ACE| + SMB_ACE4_NO_PROPAGATE_INHERIT_ACE| + SMB_ACE4_INHERIT_ONLY_ACE); + } + ace_v4->aceMask = ace_nt->access_mask & (SEC_STD_ALL | SEC_FILE_ALL); -- 1.7.11.4 From 6d50495d72bd2613c3b3d5456b0ec985006175b9 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 9 Oct 2012 09:41:41 +0200 Subject: [PATCH 3/3] s3: Pass down smb_filename to smbacl4_fill_ace4 A full fsp is a bit overkill here The last three patches fix Bug 9208 Cannot migrate files with inheritance flags to share on top of NFSv4 filesystem Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Tue Oct 9 13:38:49 CEST 2012 on sn-devel-104 --- source3/modules/nfs4_acls.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index b4fd514..05f90f7 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -574,7 +574,7 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special( static bool smbacl4_fill_ace4( TALLOC_CTX *mem_ctx, - const files_struct *fsp, + const struct smb_filename *filename, smbacl4_vfs_params *params, uid_t ownerUID, gid_t ownerGID, @@ -582,7 +582,6 @@ static bool smbacl4_fill_ace4( SMB_ACE4PROP_T *ace_v4 /* output */ ) { - const char *filename = fsp->fsp_name->base_name; DEBUG(10, ("got ace for %s\n", sid_string_dbg(&ace_nt->trustee))); memset(ace_v4, 0, sizeof(SMB_ACE4PROP_T)); @@ -594,8 +593,8 @@ static bool smbacl4_fill_ace4( ace_nt->flags); /* remove inheritance flags on files */ - if (VALID_STAT(fsp->fsp_name->st) && - !S_ISDIR(fsp->fsp_name->st.st_ex_mode)) { + if (VALID_STAT(filename->st) && + !S_ISDIR(filename->st.st_ex_mode)) { DEBUG(10, ("Removing inheritance flags from a file\n")); ace_v4->aceFlags &= ~(SMB_ACE4_FILE_INHERIT_ACE| SMB_ACE4_DIRECTORY_INHERIT_ACE| @@ -641,7 +640,8 @@ static bool smbacl4_fill_ace4( } } else { DEBUG(1, ("nfs4_acls.c: file [%s]: could not " - "convert %s to uid or gid\n", filename, + "convert %s to uid or gid\n", + filename->base_name, sid_string_dbg(&ace_nt->trustee))); return False; } @@ -707,7 +707,7 @@ static SMB4ACL_T *smbacl4_win2nfs4( SMB_ACE4PROP_T ace_v4; bool addNewACE = True; - if (!smbacl4_fill_ace4(mem_ctx, fsp, pparams, + if (!smbacl4_fill_ace4(mem_ctx, fsp->fsp_name, pparams, ownerUID, ownerGID, dacl->aces + i, &ace_v4)) { DEBUG(3, ("Could not fill ace for file %s, SID %s\n", -- 1.7.11.4