I was unable to propely manipulate ACLs on a w2k3 share. Windows clients complained about the order of ACEs after any change to ACL. And after any SD modification all w2k inheritance semantics was lost. Patch attached.
Created attachment 3670 [details] Proposed patch Tested on a w2k3 share. Before the change windows clients complained about wrong ACEs order and objects in the affected container were created with SEC_ACE_FLAG_INHERITED_ACE unset (nt4 semantic afaik). This patch fixed the issues.
Created attachment 3677 [details] Patch I actually pushed. This is what I pushed. I added features to get/set the inherit flags as symbolic names to make things easier to experiment with. I am still not convinced of the need for SEC_DESC_DACL_AUTO_INHERIT_REQ on the DACL on set - can you please explain what caused you to set this in your patch ? Jeremy.
See also the ace_compare() function in source3/libsmb/libsmb_xattr.c. I'd fixed a similar problem a while ago, and found additional documentation mentioned in the comment of that function. Derrell
Thanks a lot for looking into this. Your patch is definitely much fancier :) I hope you'll find the following typescript convincing enough: Here i use your version unmodified (i have //venus/work mounted to ~/venus-work) pavel@paulfertser:~$ mkdir venus-work/p.fertser/test-dir pavel@paulfertser:~$ smbcacls -k //venus/work p.fertser/test-dir REVISION:1 CONTROL:0x8404 OWNER:WORK\P.Fertser GROUP:WORK\Domain users ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL ACL:WORK\P.Fertser:ALLOWED/I/FULL ACL:CREATOR-OWNER:ALLOWED/OI|CI|IO|I/FULL pavel@paulfertser:~$ smbcacls -k //venus/work p.fertser/test-dir -M "ACL:WORK\P.Fertser:ALLOWED/I/FULL" pavel@paulfertser:~$ smbcacls -k //venus/work p.fertser/test-dir REVISION:1 CONTROL:0x8004 OWNER:WORK\P.Fertser GROUP:WORK\Domain users ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL ACL:WORK\P.Fertser:ALLOWED/I/FULL ACL:CREATOR-OWNER:ALLOWED/OI|CI|IO|I/FULL pavel@paulfertser:~$ mkdir venus-work/p.fertser/test-dir/test-subdir pavel@paulfertser:~$ smbcacls -k //venus/work p.fertser/test-dir/test-subdir REVISION:1 CONTROL:0x8004 OWNER:WORK\P.Fertser GROUP:WORK\Domain users ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL ACL:BUILTIN\Administrators:ALLOWED/OI|CI/FULL ACL:WORK\P.Fertser:ALLOWED/0x0/FULL ACL:CREATOR-OWNER:ALLOWED/OI|CI|IO|I/FULL You see how all ACEs (except the one having "generic SID") in the subdir don't have "I" set? And now the same but with SEC_DESC_DACL_AUTO_INHERIT_REQ set: pavel@paulfertser:~$ mkdir venus-work/p.fertser/test-dir pavel@paulfertser:~$ smbcacls-paul -k //venus/work p.fertser/test-dir REVISION:1 CONTROL:0x8404 OWNER:WORK\P.Fertser GROUP:WORK\Domain users ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL ACL:WORK\P.Fertser:ALLOWED/I/FULL ACL:CREATOR-OWNER:ALLOWED/OI|CI|IO|I/FULL pavel@paulfertser:~$ smbcacls-paul -k //venus/work p.fertser/test-dir -M "ACL:WORK\P.Fertser:ALLOWED/I/FULL" pavel@paulfertser:~$ smbcacls-paul -k //venus/work p.fertser/test-dir REVISION:1 CONTROL:0x8404 OWNER:WORK\P.Fertser GROUP:WORK\Domain users ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL ACL:WORK\P.Fertser:ALLOWED/I/FULL ACL:CREATOR-OWNER:ALLOWED/OI|CI|IO|I/FULL pavel@paulfertser:~$ mkdir venus-work/p.fertser/test-dir/test-subdir pavel@paulfertser:~$ smbcacls-paul -k //venus/work p.fertser/test-dir/test-subdir REVISION:1 CONTROL:0x8404 OWNER:WORK\P.Fertser GROUP:WORK\Domain users ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL ACL:WORK\P.Fertser:ALLOWED/I/FULL ACL:CREATOR-OWNER:ALLOWED/OI|CI|IO|I/FULL As far as i understand, the latter is the correct behavior for w2k (and later) systems while the previous is nt4-like.
Shame on me, my previous comment is unreadable. I hope this one will be better. Thanks a lot for looking into this. Your patch is definitely much fancier :) I hope you'll find the following typescript convincing enough: Here i use your version unmodified (i have //venus/work mounted to ~/venus-work) pavel@paulfertser:~$ mkdir venus-work/p.fertser/test-dir pavel@paulfertser:~$ smbcacls -k //venus/work p.fertser/test-dir REVISION:1 CONTROL:0x8404 OWNER:WORK\P.Fertser GROUP:WORK\Domain users ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL ACL:WORK\P.Fertser:ALLOWED/I/FULL ACL:CREATOR-OWNER:ALLOWED/OI|CI|IO|I/FULL pavel@paulfertser:~$ smbcacls -k //venus/work p.fertser/test-dir -M "ACL:WORK\P.Fertser:ALLOWED/I/FULL" pavel@paulfertser:~$ smbcacls -k //venus/work p.fertser/test-dir REVISION:1 CONTROL:0x8004 OWNER:WORK\P.Fertser GROUP:WORK\Domain users ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL ACL:WORK\P.Fertser:ALLOWED/I/FULL ACL:CREATOR-OWNER:ALLOWED/OI|CI|IO|I/FULL pavel@paulfertser:~$ mkdir venus-work/p.fertser/test-dir/test-subdir pavel@paulfertser:~$ smbcacls -k //venus/work p.fertser/test-dir/test-subdir REVISION:1 CONTROL:0x8004 OWNER:WORK\P.Fertser GROUP:WORK\Domain users ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL ACL:BUILTIN\Administrators:ALLOWED/OI|CI/FULL ACL:WORK\P.Fertser:ALLOWED/0x0/FULL ACL:CREATOR-OWNER:ALLOWED/OI|CI|IO|I/FULL You see how all ACEs (except the one having "generic SID") in the subdir don't have "I" set? And now the same but with SEC_DESC_DACL_AUTO_INHERIT_REQ set: pavel@paulfertser:~$ mkdir venus-work/p.fertser/test-dir pavel@paulfertser:~$ smbcacls-paul -k //venus/work p.fertser/test-dir REVISION:1 CONTROL:0x8404 OWNER:WORK\P.Fertser GROUP:WORK\Domain users ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL ACL:WORK\P.Fertser:ALLOWED/I/FULL ACL:CREATOR-OWNER:ALLOWED/OI|CI|IO|I/FULL pavel@paulfertser:~$ smbcacls-paul -k //venus/work p.fertser/test-dir -M "ACL:WORK\P.Fertser:ALLOWED/I/FULL" pavel@paulfertser:~$ smbcacls-paul -k //venus/work p.fertser/test-dir REVISION:1 CONTROL:0x8404 OWNER:WORK\P.Fertser GROUP:WORK\Domain users ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL ACL:WORK\P.Fertser:ALLOWED/I/FULL ACL:CREATOR-OWNER:ALLOWED/OI|CI|IO|I/FULL pavel@paulfertser:~$ mkdir venus-work/p.fertser/test-dir/test-subdir pavel@paulfertser:~$ smbcacls-paul -k //venus/work p.fertser/test-dir/test-subdir REVISION:1 CONTROL:0x8404 OWNER:WORK\P.Fertser GROUP:WORK\Domain users ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL ACL:WORK\P.Fertser:ALLOWED/I/FULL ACL:CREATOR-OWNER:ALLOWED/OI|CI|IO|I/FULL As far as i understand, the latter is the correct behavior for w2k (and later) systems while the previous is nt4-like.