8 files changed, 11 insertions, 155 deletions

diff --git a/docs-xml/smbdotconf/vfs/aclcompatibility.xml b/docs-xml/smbdotconf/vfs/aclcompatibility.xml
deleted file mode 100644
index 95f42cfe2a..0000000000
--- a/docs-xml/smbdotconf/vfs/aclcompatibility.xml
+++ /dev/null
@@ -1,17 +0,0 @@
-<samba:parameter name="acl compatibility"
-                 context="G"
-				 type="enum"
-                 advanced="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
-	<para>This parameter specifies what OS ACL semantics should 
-	be compatible with. Possible values are <emphasis>winnt</emphasis> for Windows NT 4, 
-	<emphasis>win2k</emphasis> for Windows 2000 and above and <emphasis>auto</emphasis>.
-	If you specify <emphasis>auto</emphasis>, the value for this parameter 
-	will be based upon the version of the client. There should 
-	be no reason to change this parameter from the default.</para>
-</description>
-
-<value type="default">Auto</value>
-<value type="example">win2k</value>
-</samba:parameter>
diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index d5cd0181c5..94652fad89 100644
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -266,7 +266,6 @@ FN_GLOBAL_CONST_STRING(winbindd_socket_directory, szWinbinddSocketDirectory)
 FN_GLOBAL_CONST_STRING(winbind_separator, szWinbindSeparator)
 FN_GLOBAL_CONST_STRING(workgroup, szWorkgroup)
 FN_GLOBAL_CONST_STRING(wtmpdir, szWtmpDir)
-FN_GLOBAL_INTEGER(acl_compatibility, iAclCompat)
 FN_GLOBAL_INTEGER(afs_token_lifetime, iAfsTokenLifetime)
 FN_GLOBAL_INTEGER(algorithmic_rid_base, AlgorithmicRidBase)
 FN_GLOBAL_INTEGER(allow_dns_updates, allow_dns_updates)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 01f65fef97..a73cd966bc 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -180,16 +180,6 @@ static const struct enum_list enum_kerberos_method[] = {
 	{-1, NULL}
 };
 
-
-/* ACL compatibility options. */
-static const struct enum_list enum_acl_compat_vals[] = {
-    { ACL_COMPAT_AUTO, "auto" },
-    { ACL_COMPAT_WINNT, "winnt" },
-    { ACL_COMPAT_WIN2K, "win2k" },
-    { -1, NULL}
-};
-
-
 static const struct enum_list enum_printing[] = {
 	{PRINT_SYSV, "sysv"},
 	{PRINT_AIX, "aix"},
@@ -1459,15 +1449,6 @@ static struct parm_struct parm_table[] = {
 		.flags		= FLAG_ADVANCED,
 	},
 	{
-		.label		= "acl compatibility",
-		.type		= P_ENUM,
-		.p_class	= P_GLOBAL,
-		.offset		= GLOBAL_VAR(iAclCompat),
-		.special	= NULL,
-		.enum_list	= enum_acl_compat_vals,
-		.flags		= FLAG_ADVANCED | FLAG_SHARE | FLAG_GLOBAL,
-	},
-	{
 		.label		= "defer sharing violations",
 		.type		= P_BOOL,
 		.p_class	= P_GLOBAL,
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 7c5a5a7346..5f3d937ee0 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1068,7 +1068,6 @@ char *lp_wins_hook(TALLOC_CTX *ctx);
 const char *lp_template_homedir(void);
 const char *lp_template_shell(void);
 const char *lp_winbind_separator(void);
-int lp_acl_compatibility(void);
 bool lp_winbind_enum_users(void);
 bool lp_winbind_enum_groups(void);
 bool lp_winbind_use_default_domain(void);
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 74ea257d36..b8e0d4aba4 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -1059,24 +1059,6 @@ static void merge_aces( canon_ace **pp_list_head, bool dir_acl)
 }
 
 /****************************************************************************
- Check if we need to return NT4.x compatible ACL entries.
-****************************************************************************/
-
-bool nt4_compatible_acls(void)
-{
-	int compat = lp_acl_compatibility();
-
-	if (compat == ACL_COMPAT_AUTO) {
-		enum remote_arch_types ra_type = get_remote_arch();
-
-		/* Automatically adapt to client */
-		return (ra_type <= RA_WINNT);
-	} else
-		return (compat == ACL_COMPAT_WINNT);
-}
-
-
-/****************************************************************************
  Map canon_ace perms to permission bits NT.
  The attr element is not used here - we only process deny entries on set,
  not get. Deny entries are implicit on get with ace->perms = 0.
@@ -1107,10 +1089,7 @@ uint32_t map_canon_ace_perms(int snum,
 		 * to be changed in the future.
 		 */
 
-		if (nt4_compatible_acls())
-			nt_mask = UNIX_ACCESS_NONE;
-		else
-			nt_mask = 0;
+		nt_mask = 0;
 	} else {
 		if (directory_ace) {
 			nt_mask |= ((perms & S_IRUSR) ? UNIX_DIRECTORY_ACCESS_R : 0 );
@@ -1954,26 +1933,6 @@ static bool create_canon_ace_lists(files_struct *fsp,
 			DEBUG(3,("create_canon_ace_lists: unable to set anything but an ALLOW or DENY ACE.\n"));
 			return False;
 		}
-
-		if (nt4_compatible_acls()) {
-			/*
-			 * The security mask may be UNIX_ACCESS_NONE which should map into
-			 * no permissions (we overload the WRITE_OWNER bit for this) or it
-			 * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
-			 * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
-			 */
-
-			/*
-			 * Convert GENERIC bits to specific bits.
-			 */
- 
-			se_map_generic(&psa->access_mask, &file_generic_mapping);
-
-			psa->access_mask &= (UNIX_ACCESS_NONE|FILE_ALL_ACCESS);
-
-			if(psa->access_mask != UNIX_ACCESS_NONE)
-				psa->access_mask &= ~UNIX_ACCESS_NONE;
-		}
 	}
 
 	/*
@@ -3164,22 +3123,6 @@ static bool set_canon_ace_list(files_struct *fsp,
 }
 
 /****************************************************************************
- Find a particular canon_ace entry.
-****************************************************************************/
-
-static struct canon_ace *canon_ace_entry_for(struct canon_ace *list, SMB_ACL_TAG_T type, struct unixid *id)
-{
-	while (list) {
-		if (list->type == type && ((type != SMB_ACL_USER && type != SMB_ACL_GROUP) ||
-				(type == SMB_ACL_USER  && id && id->id == list->unix_ug.id) ||
-				(type == SMB_ACL_GROUP && id && id->id == list->unix_ug.id)))
-			break;
-		list = list->next;
-	}
-	return list;
-}
-
-/****************************************************************************
  
 ****************************************************************************/
 
@@ -3461,55 +3404,6 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
 			canon_ace *ace;
 			enum security_ace_type nt_acl_type;
 
-			if (nt4_compatible_acls() && dir_ace) {
-				/*
-				 * NT 4 chokes if an ACL contains an INHERIT_ONLY entry
-				 * but no non-INHERIT_ONLY entry for one SID. So we only
-				 * remove entries from the Access ACL if the
-				 * corresponding Default ACL entries have also been
-				 * removed. ACEs for CREATOR-OWNER and CREATOR-GROUP
-				 * are exceptions. We can do nothing
-				 * intelligent if the Default ACL contains entries that
-				 * are not also contained in the Access ACL, so this
-				 * case will still fail under NT 4.
-				 */
-
-				ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
-				if (ace && !ace->perms) {
-					DLIST_REMOVE(dir_ace, ace);
-					TALLOC_FREE(ace);
-
-					ace = canon_ace_entry_for(file_ace, SMB_ACL_OTHER, NULL);
-					if (ace && !ace->perms) {
-						DLIST_REMOVE(file_ace, ace);
-						TALLOC_FREE(ace);
-					}
-				}
-
-				/*
-				 * WinNT doesn't usually have Creator Group
-				 * in browse lists, so we send this entry to
-				 * WinNT even if it contains no relevant
-				 * permissions. Once we can add
-				 * Creator Group to browse lists we can
-				 * re-enable this.
-				 */
-
-#if 0
-				ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
-				if (ace && !ace->perms) {
-					DLIST_REMOVE(dir_ace, ace);
-					TALLOC_FREE(ace);
-				}
-#endif
-
-				ace = canon_ace_entry_for(file_ace, SMB_ACL_GROUP_OBJ, NULL);
-				if (ace && !ace->perms) {
-					DLIST_REMOVE(file_ace, ace);
-					TALLOC_FREE(ace);
-				}
-			}
-
 			num_acls = count_canon_ace_list(file_ace);
 			num_def_acls = count_canon_ace_list(dir_ace);
 
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index aae4bd02db..f95fddd0c6 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -703,7 +703,6 @@ void reply_pipe_read_and_X(struct smb_request *req);
 /* The following definitions come from smbd/posix_acls.c  */
 
 void create_file_sids(const SMB_STRUCT_STAT *psbuf, struct dom_sid *powner_sid, struct dom_sid *pgroup_sid);
-bool nt4_compatible_acls(void);
 uint32_t map_canon_ace_perms(int snum,
                                 enum security_ace_type *pacl_type,
                                 mode_t perms,
diff --git a/source4/libcli/pysmb.c b/source4/libcli/pysmb.c
index 1122305c28..fb981c7f18 100644
--- a/source4/libcli/pysmb.c
+++ b/source4/libcli/pysmb.c
@@ -317,10 +317,11 @@ static PyObject *py_smb_getacl(pytalloc_Object *self, PyObject *args, PyObject *
 	union smb_fileinfo fio;
 	struct smb_private_data *spdata;
 	const char *filename;
-	int sinfo = 0;
+	uint32_t sinfo = 0;
+	int access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 	int fnum;
 
-	if (!PyArg_ParseTuple(args, "s|i:get_acl", &filename, &sinfo)) {
+	if (!PyArg_ParseTuple(args, "s|Ii:get_acl", &filename, &sinfo, &access_mask)) {
 		return NULL;
 	}
 
@@ -331,7 +332,7 @@ static PyObject *py_smb_getacl(pytalloc_Object *self, PyObject *args, PyObject *
 	io.generic.level = RAW_OPEN_NTCREATEX;
 	io.ntcreatex.in.root_fid.fnum = 0;
 	io.ntcreatex.in.flags = 0;
-	io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+	io.ntcreatex.in.access_mask = access_mask;
 	io.ntcreatex.in.create_options = 0;
 	io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
 	io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ | 
diff --git a/source4/scripting/python/samba/tests/posixacl.py b/source4/scripting/python/samba/tests/posixacl.py
index f949ab47b3..652721f4f1 100644
--- a/source4/scripting/python/samba/tests/posixacl.py
+++ b/source4/scripting/python/samba/tests/posixacl.py
@@ -92,7 +92,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
 
     def test_setntacl_smbd_invalidate_getntacl_smbd(self):
         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
-        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
+        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x001200a9;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
         os.chmod(self.tempf, 0750)
         setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
 
@@ -122,7 +122,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
 
     def test_setntacl_smbd_setposixacl_getntacl_smbd(self):
         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
-        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
+        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
         setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
         # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
         smbd.set_simple_acl(self.tempf, 0640)
@@ -133,7 +133,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
     def test_setntacl_smbd_setposixacl_group_getntacl_smbd(self):
         acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
         BA_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
-        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;WO;;;WD)"
+        simple_acl_from_posix = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;;0x001f019f;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;0x00120089;;;BA)(A;;0x00120089;;;S-1-5-21-2212615479-2695158682-2101375467-513)(A;;;;;WD)"
         setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
         # This invalidates the hash of the NT acl just set because there is a hook in the posix ACL set code
         s4_passdb = passdb.PDB(self.lp.get("passdb backend"))
@@ -193,7 +193,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
         user_SID = s4_passdb.uid_to_sid(os.stat(self.tempf).st_uid)
         smbd.set_simple_acl(self.tempf, 0640)
         facl = getntacl(self.lp, self.tempf, direct_db_access=False)
-        acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
+        acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
         anysid = security.dom_sid(security.SID_NT_SELF)
         self.assertEquals(acl, facl.as_sddl(anysid))
 
@@ -210,7 +210,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
         smbd.chown(self.tempdir, BA_id, SO_id)
         smbd.set_simple_acl(self.tempdir, 0750)
         facl = getntacl(self.lp, self.tempdir, direct_db_access=False)
-        acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;WO;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;OICIIO;0x001f01ff;;;WD)"
+        acl = "O:BAG:SOD:(A;;0x001f01ff;;;BA)(A;;0x001200a9;;;SO)(A;;;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001f01ff;;;CG)(A;OICIIO;0x001f01ff;;;WD)"
 
         anysid = security.dom_sid(security.SID_NT_SELF)
         self.assertEquals(acl, facl.as_sddl(anysid))
@@ -225,7 +225,7 @@ class PosixAclMappingTests(TestCaseInTempDir):
         smbd.set_simple_acl(self.tempf, 0640, BA_gid)
         facl = getntacl(self.lp, self.tempf, direct_db_access=False)
         domsid = passdb.get_global_sam_sid()
-        acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;WO;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
+        acl = "O:%sG:%sD:(A;;0x001f019f;;;%s)(A;;0x00120089;;;BA)(A;;0x00120089;;;%s)(A;;;;;WD)" % (user_SID, group_SID, user_SID, group_SID)
         anysid = security.dom_sid(security.SID_NT_SELF)
         self.assertEquals(acl, facl.as_sddl(anysid))