From 58721f9b42b492e3b8b1a8061d2c27f23e3051d8 Mon Sep 17 00:00:00 2001
From: Alexander Werth <alexander.werth@de.ibm.com>
Date: Wed, 25 Jul 2012 16:23:57 +0200
Subject: [PATCH 1/5] s3: Move up declaration of params struct and related
 function.

We need the parameters earlier in the code so we move up
the declaration of the params struct. Since reading the
parameters is closely related the definition of the function
smbacl4_get_vfs_params has also been moved up.
---
 source3/modules/nfs4_acls.c |   98 +++++++++++++++++++++----------------------
 1 file changed, 49 insertions(+), 49 deletions(-)

diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 67db6b0..b2a5406 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -54,6 +54,55 @@ typedef struct _SMB_ACL4_INT_T
 	SMB_ACE4_INT_T	*last;
 } SMB_ACL4_INT_T;
 
+enum smbacl4_mode_enum {e_simple=0, e_special=1};
+enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3};
+
+typedef struct _smbacl4_vfs_params {
+	enum smbacl4_mode_enum mode;
+	bool do_chown;
+	enum smbacl4_acedup_enum acedup;
+} smbacl4_vfs_params;
+
+/*
+ * Gather special parameters for NFS4 ACL handling
+ */
+static int smbacl4_get_vfs_params(
+	const char *type_name,
+	files_struct *fsp,
+	smbacl4_vfs_params *params
+)
+{
+	static const struct enum_list enum_smbacl4_modes[] = {
+		{ e_simple, "simple" },
+		{ e_special, "special" },
+		{ -1 , NULL }
+	};
+	static const struct enum_list enum_smbacl4_acedups[] = {
+		{ e_dontcare, "dontcare" },
+		{ e_reject, "reject" },
+		{ e_ignore, "ignore" },
+		{ e_merge, "merge" },
+		{ -1 , NULL }
+	};
+
+	memset(params, 0, sizeof(smbacl4_vfs_params));
+	params->mode = (enum smbacl4_mode_enum)lp_parm_enum(
+		SNUM(fsp->conn), type_name,
+		"mode", enum_smbacl4_modes, e_simple);
+	params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name,
+		"chown", True);
+	params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum(
+		SNUM(fsp->conn), type_name,
+		"acedup", enum_smbacl4_acedups, e_dontcare);
+
+	DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n",
+		enum_smbacl4_modes[params->mode].name,
+		params->do_chown ? "true" : "false",
+		enum_smbacl4_acedups[params->acedup].name));
+
+	return 0;
+}
+
 /************************************************
  Split the ACE flag mapping between nfs4 and Windows
  into two separate functions rather than trying to do
@@ -461,55 +510,6 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn,
 					  theacl);
 }
 
-enum smbacl4_mode_enum {e_simple=0, e_special=1};
-enum smbacl4_acedup_enum {e_dontcare=0, e_reject=1, e_ignore=2, e_merge=3};
-
-typedef struct _smbacl4_vfs_params {
-	enum smbacl4_mode_enum mode;
-	bool do_chown;
-	enum smbacl4_acedup_enum acedup;
-} smbacl4_vfs_params;
-
-/*
- * Gather special parameters for NFS4 ACL handling
- */
-static int smbacl4_get_vfs_params(
-	const char *type_name,
-	files_struct *fsp,
-	smbacl4_vfs_params *params
-)
-{
-	static const struct enum_list enum_smbacl4_modes[] = {
-		{ e_simple, "simple" },
-		{ e_special, "special" },
-		{ -1 , NULL }
-	};
-	static const struct enum_list enum_smbacl4_acedups[] = {
-		{ e_dontcare, "dontcare" },
-		{ e_reject, "reject" },
-		{ e_ignore, "ignore" },
-		{ e_merge, "merge" },
-		{ -1 , NULL }
-	};
-
-	memset(params, 0, sizeof(smbacl4_vfs_params));
-	params->mode = (enum smbacl4_mode_enum)lp_parm_enum(
-		SNUM(fsp->conn), type_name,
-		"mode", enum_smbacl4_modes, e_simple);
-	params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name,
-		"chown", True);
-	params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum(
-		SNUM(fsp->conn), type_name,
-		"acedup", enum_smbacl4_acedups, e_dontcare);
-
-	DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n",
-		enum_smbacl4_modes[params->mode].name,
-		params->do_chown ? "true" : "false",
-		enum_smbacl4_acedups[params->acedup].name));
-
-	return 0;
-}
-
 static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl)
 {
 	SMB_ACL4_INT_T *aclint = get_validated_aclint(theacl);
-- 
1.7.9.5

From 2fe0b651d00e4e4c9bf6707cf6b52d55f4b69f6b Mon Sep 17 00:00:00 2001
From: Alexander Werth <alexander.werth@de.ibm.com>
Date: Thu, 26 Jul 2012 17:11:03 +0200
Subject: [PATCH 2/5] s3: Change smbacl4_get_vfs_params to use
 connection_struct instead of fsp.

---
 source3/modules/nfs4_acls.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index b2a5406..7a064be 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -68,7 +68,7 @@ typedef struct _smbacl4_vfs_params {
  */
 static int smbacl4_get_vfs_params(
 	const char *type_name,
-	files_struct *fsp,
+	struct connection_struct *conn,
 	smbacl4_vfs_params *params
 )
 {
@@ -87,12 +87,12 @@ static int smbacl4_get_vfs_params(
 
 	memset(params, 0, sizeof(smbacl4_vfs_params));
 	params->mode = (enum smbacl4_mode_enum)lp_parm_enum(
-		SNUM(fsp->conn), type_name,
+		SNUM(conn), type_name,
 		"mode", enum_smbacl4_modes, e_simple);
-	params->do_chown = lp_parm_bool(SNUM(fsp->conn), type_name,
+	params->do_chown = lp_parm_bool(SNUM(conn), type_name,
 		"chown", True);
 	params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum(
-		SNUM(fsp->conn), type_name,
+		SNUM(conn), type_name,
 		"acedup", enum_smbacl4_acedups, e_dontcare);
 
 	DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n",
@@ -761,7 +761,8 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp,
 	}
 
 	/* Special behaviours */
-	if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp, &params))
+	if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME,
+				   fsp->conn, &params))
 		return NT_STATUS_NO_MEMORY;
 
 	if (smbacl4_fGetFileOwner(fsp, &sbuf))
-- 
1.7.9.5

From e537df44d71612607ac5e18e7327ba2bcbba0f6c Mon Sep 17 00:00:00 2001
From: Alexander Werth <alexander.werth@de.ibm.com>
Date: Thu, 26 Jul 2012 17:29:12 +0200
Subject: [PATCH 3/5] s3: Add params parameter to smbacl4_nfs42win function.

---
 source3/modules/nfs4_acls.c |   37 +++++++++++++++++++++++++------------
 1 file changed, 25 insertions(+), 12 deletions(-)

diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 7a064be..5bb4847 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -308,7 +308,9 @@ static int smbacl4_fGetFileOwner(files_struct *fsp, SMB_STRUCT_STAT *psbuf)
 	return 0;
 }
 
-static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */
+static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
+	smbacl4_vfs_params *params,
+	SMB4ACL_T *theacl, /* in */
 	struct dom_sid *psid_owner, /* in */
 	struct dom_sid *psid_group, /* in */
 	bool is_directory, /* in */
@@ -418,10 +420,13 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */
 }
 
 static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf,
-					   uint32 security_info, TALLOC_CTX *mem_ctx,
-	struct security_descriptor **ppdesc, SMB4ACL_T *theacl)
+					   smbacl4_vfs_params *params,
+					   uint32 security_info,
+					   TALLOC_CTX *mem_ctx,
+					   struct security_descriptor **ppdesc,
+					   SMB4ACL_T *theacl)
 {
-	int	good_aces = 0;
+	int good_aces = 0;
 	struct dom_sid sid_owner, sid_group;
 	size_t sd_size = 0;
 	struct security_ace *nt_ace_list = NULL;
@@ -436,7 +441,7 @@ static NTSTATUS smb_get_nt_acl_nfs4_common(const SMB_STRUCT_STAT *sbuf,
 	uid_to_sid(&sid_owner, sbuf->st_ex_uid);
 	gid_to_sid(&sid_group, sbuf->st_ex_gid);
 
-	if (smbacl4_nfs42win(mem_ctx, theacl, &sid_owner, &sid_group,
+	if (smbacl4_nfs42win(mem_ctx, params, theacl, &sid_owner, &sid_group,
 			     S_ISDIR(sbuf->st_ex_mode),
 				&nt_ace_list, &good_aces)==False) {
 		DEBUG(8,("smbacl4_nfs42win failed\n"));
@@ -478,6 +483,7 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp,
 			      SMB4ACL_T *theacl)
 {
 	SMB_STRUCT_STAT sbuf;
+	smbacl4_vfs_params params;
 
 	DEBUG(10, ("smb_fget_nt_acl_nfs4 invoked for %s\n", fsp_str_dbg(fsp)));
 
@@ -485,9 +491,12 @@ NTSTATUS smb_fget_nt_acl_nfs4(files_struct *fsp,
 		return map_nt_error_from_unix(errno);
 	}
 
-	return smb_get_nt_acl_nfs4_common(&sbuf, security_info,
-					  mem_ctx, ppdesc,
-					  theacl);
+	/* Special behaviours */
+	if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, fsp->conn, &params))
+		return NT_STATUS_NO_MEMORY;
+
+	return smb_get_nt_acl_nfs4_common(&sbuf, &params, security_info,
+					  mem_ctx, ppdesc, theacl);
 }
 
 NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn,
@@ -498,6 +507,7 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn,
 			     SMB4ACL_T *theacl)
 {
 	SMB_STRUCT_STAT sbuf;
+	smbacl4_vfs_params params;
 
 	DEBUG(10, ("smb_get_nt_acl_nfs4 invoked for %s\n", name));
 
@@ -505,9 +515,12 @@ NTSTATUS smb_get_nt_acl_nfs4(struct connection_struct *conn,
 		return map_nt_error_from_unix(errno);
 	}
 
-	return smb_get_nt_acl_nfs4_common(&sbuf, security_info,
-					  mem_ctx, ppdesc,
-					  theacl);
+	/* Special behaviours */
+	if (smbacl4_get_vfs_params(SMBACL4_PARAM_TYPE_NAME, conn, &params))
+		return NT_STATUS_NO_MEMORY;
+
+	return smb_get_nt_acl_nfs4_common(&sbuf, &params, security_info,
+					  mem_ctx, ppdesc, theacl);
 }
 
 static void smbacl4_dump_nfs4acl(int level, SMB4ACL_T *theacl)
@@ -547,7 +560,7 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special(
 	     aceint=(SMB_ACE4_INT_T *)aceint->next) {
 		SMB_ACE4PROP_T *ace = &aceint->prop;
 
-                DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x "
+		DEBUG(10,("ace type:0x%x flags:0x%x aceFlags:0x%x "
 			  "new type:0x%x flags:0x%x aceFlags:0x%x\n",
 			  ace->aceType, ace->flags, ace->aceFlags,
 			  aceNew->aceType, aceNew->flags,aceNew->aceFlags));
-- 
1.7.9.5

From 518d89dd2e2ddfc8d72f3ee25d81da813221dc5b Mon Sep 17 00:00:00 2001
From: Alexander Werth <alexander.werth@de.ibm.com>
Date: Wed, 25 Apr 2012 15:10:20 +0200
Subject: [PATCH 4/5] s3: Mapping of special entries to creator owner in mode
 simple.

---
 source3/modules/nfs4_acls.c |   59 ++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 53 insertions(+), 6 deletions(-)

diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 5bb4847..730ab02 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -327,10 +327,11 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
 
 	aclint = get_validated_aclint(theacl);
 	/* We do not check for naces being 0 or theacl being NULL here
-	 * because it is done upstream */
-	/* in smb_get_nt_acl_nfs4(). */
+	   because it is done upstream in smb_get_nt_acl_nfs4().
+	   We reserve twice the number of input aces because one nfs4
+	   ace might result in 2 nt aces.*/
 	nt_ace_list = (struct security_ace *)TALLOC_ZERO_SIZE(
-		mem_ctx, aclint->naces * sizeof(struct security_ace));
+		mem_ctx, 2 * aclint->naces * sizeof(struct security_ace));
 	if (nt_ace_list==NULL)
 	{
 		DEBUG(10, ("talloc error"));
@@ -408,11 +409,57 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
 		if(ace->aceType == SMB_ACE4_ACCESS_ALLOWED_ACE_TYPE) {
 			mask = ace->aceMask | SMB_ACE4_SYNCHRONIZE;
 		}
-		init_sec_ace(&nt_ace_list[good_aces++], &sid,
-			ace->aceType, mask,
-			win_ace_flags);
+
+		/* Mapping of special entries to creator owner. */
+		if (params->mode == e_simple &&
+		    ace->flags & SMB_ACE4_ID_SPECIAL &&
+		    (ace->who.special_id == SMB_ACE4_WHO_OWNER ||
+		     ace->who.special_id == SMB_ACE4_WHO_GROUP)) {
+			DEBUG(10, ("Map special entry\n"));
+
+			if (ace->who.special_id == SMB_ACE4_WHO_OWNER &&
+			    win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT |
+					     SEC_ACE_FLAG_CONTAINER_INHERIT)) {
+				uint32_t win_ace_flags_creator;
+				DEBUG(10, ("Map creator owner\n"));
+				win_ace_flags_creator = win_ace_flags |
+					SMB_ACE4_INHERIT_ONLY_ACE;
+				init_sec_ace(&nt_ace_list[good_aces++],
+					     &global_sid_Creator_Owner,
+					     ace->aceType, mask,
+					     win_ace_flags_creator);
+			}
+			if (ace->who.special_id == SMB_ACE4_WHO_GROUP &&
+			    win_ace_flags & (SEC_ACE_FLAG_OBJECT_INHERIT |
+					     SEC_ACE_FLAG_CONTAINER_INHERIT)) {
+				uint32_t win_ace_flags_creator;
+				DEBUG(10, ("Map creator owner group\n"));
+				win_ace_flags_creator = win_ace_flags |
+					SMB_ACE4_INHERIT_ONLY_ACE;
+				init_sec_ace(&nt_ace_list[good_aces++],
+					     &global_sid_Creator_Group,
+					     ace->aceType, mask,
+					     win_ace_flags_creator);
+			}
+			if (!(win_ace_flags & SEC_ACE_FLAG_INHERIT_ONLY)) {
+				DEBUG(10, ("Map current sid\n"));
+				win_ace_flags &=
+					~(SEC_ACE_FLAG_OBJECT_INHERIT |
+					  SEC_ACE_FLAG_CONTAINER_INHERIT);
+				init_sec_ace(&nt_ace_list[good_aces++], &sid,
+					     ace->aceType, mask,
+					     win_ace_flags);
+			}
+		} else {
+			DEBUG(10, ("Map normal sid\n"));
+			init_sec_ace(&nt_ace_list[good_aces++], &sid,
+				     ace->aceType, mask,
+				     win_ace_flags);
+		}
 	}
 
+	nt_ace_list = (struct security_ace *)TALLOC_REALLOC(mem_ctx, nt_ace_list, good_aces * sizeof(struct security_ace));
+
 	*ppnt_ace_list = nt_ace_list;
 	*pgood_aces = good_aces;
 
-- 
1.7.9.5

From b49afe298abadc18153ea88ab57ab275cbbf9a8a Mon Sep 17 00:00:00 2001
From: Alexander Werth <alexander.werth@de.ibm.com>
Date: Thu, 10 May 2012 14:19:41 +0200
Subject: [PATCH 5/5] s3: Mapping of cifs creator owner to nfs owner@ ace.

---
 source3/modules/nfs4_acls.c |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 730ab02..e112728 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -684,6 +684,14 @@ static bool smbacl4_fill_ace4(
 	if (dom_sid_equal(&ace_nt->trustee, &global_sid_World)) {
 		ace_v4->who.special_id = SMB_ACE4_WHO_EVERYONE;
 		ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
+	} else if (dom_sid_equal(&ace_nt->trustee, &global_sid_Creator_Owner)) {
+		DEBUG(10, ("Map creator owner\n"));
+		ace_v4->who.special_id = SMB_ACE4_WHO_OWNER;
+		ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
+	} else if (dom_sid_equal(&ace_nt->trustee, &global_sid_Creator_Group)) {
+		DEBUG(10, ("Map creator owner group\n"));
+		ace_v4->who.special_id = SMB_ACE4_WHO_GROUP;
+		ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
 	} else {
 		uid_t uid;
 		gid_t gid;
-- 
1.7.9.5