Created attachment 11422 [details] Level 10 debug log With vfs_fruit module we are encountering strange behaviour when OS X clients displays file permissions and ACL. Also permissions differ beetween files created when vfs_fruit module is ON and when it is OFF. Server setup: Gentoo Linux Samba 4.2.3 Users in Active Directory We were able to replicate this problem in 3 diffent AD,Samba enviroments. They have shares on different filesystems. Production - EXT4 filesystem Testing & Development - Btrfs filesystem Fruit config (everything left to default): vfs objects = catia fruit streams_xattr [NOTE: we also tried to change settings fruit:nfs_aces and fruit:aapl without any visible results] Client setup: OS X 10.10.5 with Apple SMBX Steps to reproduce: [FRUIT is OFF] -> mount samba share on OS X client >> touch nofruit_acl_file >> ls -lae@ nofruit_acl_file -rwx------+ 1 apple SAMDOM\Domain Users 0 Sep 9 05:07 nofruit_acl_file 0: user:apple inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 1: group:admin inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 2: group:SAMDOM\Domain Users inherited allow read,execute,readattr,readextattr,readsecurity 3: user:administrator inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 4: group:SAMDOM\Domain Admins inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 5: user:root inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown >> mkdir nofruit_acl_file >> ls -laed@ nofruit_acl_dir drwx------+ 1 apple SAMDOM\Domain Users 16384 Sep 9 05:08 nofruit_acl_dir 0: user:apple inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 1: group:admin inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 2: user:apple inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 3: group:owner inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit,only_inherit 4: group:SAMDOM\Domain Users inherited allow list,search,readattr,readextattr,readsecurity 5: group:group inherited allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit,only_inherit 6: user:administrator inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 7: group:SAMDOM\Domain Admins inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 8: user:root inherited allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit -> unmount samba share -> TURN vfs_fruit ON -> TURN ON level 10 debug logging [FRUIT is ON] -> mount samba share on OS X client [NOTE: Let's see how permissions look on files we created previously when vfs_fruit was disabled] >> ls -lae@ nofruit_acl_file -rwxrwx---+ 1 apple SAMDOM\Domain Users 0 Sep 9 05:07 nofruit_acl_file 0: user:apple allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 1: user:apple allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 2: group:SAMDOM\Domain Admins allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 3: user:root allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 4: group:admin allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 5: group:SAMDOM\Domain Users allow read,execute,readattr,readextattr,readsecurity 6: group:SAMDOM\Domain Users allow read,execute,readattr,readextattr,readsecurity 7: group:SAMDOM\Domain Admins allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 8: user:root allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 9: group:admin allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 10: user:administrator allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 11: group:everyone allow >> ls -laed@ nofruit_acl_dir drwxrwx---+ 1 apple SAMDOM\Domain Users 16384 Sep 9 05:08 nofruit_acl_dir 0: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 1: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 2: group:SAMDOM\Fo allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 3: user:root allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 4: group:admin allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 5: group:SAMDOM\Domain Users allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit 6: group:SAMDOM\Domain Admins allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 7: user:root allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 8: group:admin allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 9: user:administrator allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 10: group:everyone allow file_inherit,directory_inherit 11: group:SAMDOM\Domain Users allow list,search,readattr,readextattr,readsecurity 12: group:owner allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit,only_inherit 13: group:group allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit,only_inherit [NOTE: OS X clients interprests unix group permission bits differently. Also there are more ACE displayed. For example OS X shows two ACEs for group Domain Admins] -> Let's create some new files >> touch fruit_acl_file >> ls -lae@ fruit_acl_file -rw-rwxr--+ 1 apple SAMDOM\Domain Users 0 Sep 9 05:13 fruit_acl_file 0: user:apple allow read,write,append,readattr,writeattr,readextattr,writeextattr,readsecurity 1: user:apple allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 2: group:SAMDOM\Domain Admins allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 3: user:root allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 4: group:admin allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 5: group:SAMDOM\Domain Users allow read,execute,readattr,readextattr,readsecurity 6: group:SAMDOM\Domain Users allow read,readattr,readextattr,readsecurity 7: user:apple allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 8: group:SAMDOM\Domain Admins allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 9: user:root allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 10: group:admin allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 11: user:administrator allow read,write,execute,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 12: group:everyone allow read,readattr,readextattr,readsecurity >> mkdir fruit_acl_dir >> ls -laed@ fruit_acl_dir drwxrwxr-x+ 1 apple SAMDOM\Domain Users 16384 Sep 9 05:14 fruit_acl_dir 0: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 1: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 2: group:SAMDOM\Domain Admins allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 3: user:root allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 4: group:admin allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 5: group:SAMDOM\Domain Users allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit 6: group:SAMDOM\Domain Admins allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 7: user:root allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 8: group:admin allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 9: user:administrator allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 10: group:SAMDOM\Domain Users allow list,search,readattr,readextattr,readsecurity 11: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 12: group:everyone allow list,search,readattr,readextattr,readsecurity 13: group:owner allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit,only_inherit 14: group:group allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit,only_inherit 15: group:everyone allow file_inherit,directory_inherit,only_inherit [NOTE: Permission for files created with vfs_fruit enabled looks different once again] -> unmount samba share –> turn OFF vfs_fruit and see how permissions for new files look now [FRUIT is OFF] -> mount samba share on OS X client >> ls -lae@ fruit_acl_file -rwx------+ 1 apple SAMDOM\Domain Users 0 Sep 9 05:13 fruit_acl_file 0: user:apple allow read,write,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 1: user:apple allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 2: group:SAMDOM\Domain Admins allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 3: user:root allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 4: group:admin allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 5: group:SAMDOM\Domain Users allow read,execute,readattr,readextattr,readsecurity 6: group:SAMDOM\Domain Users allow read,readattr,readextattr,readsecurity 7: user:apple allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 8: group:SAMDOM\Domain Admins allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 9: user:root allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 10: group:admin allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 11: user:administrator allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 12: group:everyone allow read,readattr,readextattr,readsecurity >> ls -laed@ fruit_acl_dir drwx------+ 1 apple SAMDOM\Domain Users 16384 Sep 9 05:14 fruit_acl_dir 0: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 1: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 2: group:SAMDOM\Domain Admins allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 3: user:root allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 4: group:admin allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 5: group:SAMDOM\Domain Users allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit 6: group:SAMDOM\Domain Admins allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 7: user:root allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 8: group:admin allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 9: user:administrator allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit 10: group:SAMDOM\Domain Users allow list,search,readattr,readextattr,readsecurity 11: user:apple allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown 12: group:everyone allow list,search,readattr,readextattr,readsecurity 13: group:owner allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit,only_inherit 14: group:group allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit,only_inherit 15: group:everyone allow file_inherit,directory_inherit,only_inherit REAL POSIX ACLs how Gentoo Linux sees them: # file: fruit_acl_dir # owner: apple # group: users user::rwx user:root:rwx user:BUILTIN\134administrators:rwx user:3000002:rwx user:domain\040admins:rwx user:apple:rwx group::r-x group:users:r-x group:BUILTIN\134administrators:rwx group:3000002:rwx group:domain\040admins:rwx group:apple:rwx mask::rwx other::r-x default:user::rwx default:user:root:rwx default:user:BUILTIN\134administrators:rwx default:user:3000002:rwx default:user:domain\040admins:rwx default:user:apple:rwx default:group::r-x default:group:users:r-x default:group:BUILTIN\134administrators:rwx default:group:3000002:rwx default:group:domain\040admins:rwx default:group:apple:rwx default:mask::rwx default:other::--- # file: fruit_acl_file # owner: apple # group: users user::rw- user:root:rwx user:BUILTIN\134administrators:rwx user:3000002:rwx user:domain\040admins:rwx user:apple:rwx group::r-- group:users:r-x group:BUILTIN\134administrators:rwx group:3000002:rwx group:domain\040admins:rwx group:apple:rwx mask::rwx other::r-- # file: nofruit_acl_dir # owner: apple # group: users user::rwx user:root:rwx user:BUILTIN\134administrators:rwx user:3000002:rwx user:domain\040admins:rwx group::r-x group:users:r-x group:BUILTIN\134administrators:rwx group:3000002:rwx group:domain\040admins:rwx group:apple:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:BUILTIN\134administrators:rwx default:user:3000002:rwx default:user:domain\040admins:rwx default:user:apple:rwx default:group::r-x default:group:users:r-x default:group:BUILTIN\134administrators:rwx default:group:3000002:rwx default:group:domain\040admins:rwx default:group:apple:rwx default:mask::rwx default:other::--- # file: nofruit_acl_file # owner: apple # group: users user::rwx user:root:rwx user:BUILTIN\134administrators:rwx user:3000002:rwx user:domain\040admins:rwx group::r-x group:users:r-x group:BUILTIN\134administrators:rwx group:3000002:rwx group:domain\040admins:rwx group:apple:rwx mask::rwx other::--- What is going on?