When ZFS aclmode is set to "passthrough" chmod(2)/fchmod(2) will result in special entries being modified in a way such that delete, delete_child, write_named_attr, write_attribute are stripped from the returned ACL entry, and the kernel / ZFS treats this as having rights equivalent to the desired POSIX mode. Historically, samba has added delete_child to the NFSv4 ACL, but this is only really called for in the case of special entries in this particular circumstance. Alter circumstances in which delete_child is granted so that it only is added to special entries. This preserves the intend post-chmod behavior, but avoids unnecessarily increasing permissions in cases where it's not intended. Further modification of this behavior may be required so that we grant a general read or general write permissions set in case of POSIX read / POSIX write on special entries.
This bug was referenced in samba master: a182f2e6cdded739812e209430d340097acc0031 13b4f913b06457d8e1f7cf71c85722bbecabd990 c1a37b4f31d5252ce074d41f69e526aa84b0d3b3
Created attachment 16299 [details] Patch for 4.12 and 4.13 cherry-picked from master
Karolin, make sure to apply the patch from #14470 before this one.
Re-assigning to Karolin for inclusion in 4.13.next, 4.12.next.
(In reply to Jeremy Allison from comment #4) Pushed to autobuild-v4-{13,12}-test.
This bug was referenced in samba v4-13-test: 2a6c27d63b75c8535d239a7e9eeefc6e59cdf276 c64c277b607a3688f86c333fbb3ba151c8667964 d9d661993d4c7619465364905a39e0c90727a4cf
This bug was referenced in samba v4-12-test: b260c3003bbb0ca9f539ad5cae5364c0fcd5515b e14dfa439e720719fbb4ff7ab8265e4a59c81278 e1f7e422bd560196f735c96e6bf6d84524d169a7
Closing out bug report. Thanks!
This bug was referenced in samba v4-13-stable (Release samba-4.13.2): 2a6c27d63b75c8535d239a7e9eeefc6e59cdf276 c64c277b607a3688f86c333fbb3ba151c8667964 d9d661993d4c7619465364905a39e0c90727a4cf
This bug was referenced in samba v4-12-stable (Release samba-4.12.10): b260c3003bbb0ca9f539ad5cae5364c0fcd5515b e14dfa439e720719fbb4ff7ab8265e4a59c81278 e1f7e422bd560196f735c96e6bf6d84524d169a7