2 files changed, 17 insertions, 14 deletions

diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h
index 1bb25e8651..c271d292b5 100644
--- a/source3/include/rpc_secdes.h
+++ b/source3/include/rpc_secdes.h
@@ -94,9 +94,18 @@
 #define GROUP_SECURITY_INFORMATION	0x00000002
 #define DACL_SECURITY_INFORMATION	0x00000004
 #define SACL_SECURITY_INFORMATION	0x00000008
+/* Extra W2K flags. */
+#define UNPROTECTED_SACL_SECURITY_INFORMATION	0x10000000
+#define UNPROTECTED_DACL_SECURITY_INFORMATION	0x20000000
+#define PROTECTED_SACL_SECURITY_INFORMATION	0x40000000
+#define PROTECTED_DACL_SECURITY_INFORMATION	0x80000000
 
 #define ALL_SECURITY_INFORMATION (OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|\
-									DACL_SECURITY_INFORMATION|SACL_SECURITY_INFORMATION)
+					DACL_SECURITY_INFORMATION|SACL_SECURITY_INFORMATION\
+					UNPROTECTED_SACL_SECURITY_INFORMATION|\
+					UNPROTECTED_DACL_SECURITY_INFORMATION|\
+					PROTECTED_SACL_SECURITY_INFORMATION|\
+					PROTECTED_DACL_SECURITY_INFORMATION)
 
 /* Globally Unique ID */
 #define  GUID_SIZE 16
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 9773076a46..12eef46595 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -2324,20 +2324,8 @@ size_t get_nt_acl(files_struct *fsp, uint32 security_info, SEC_DESC **ppdesc)
 					DLIST_REMOVE(file_ace, ace);
 					SAFE_FREE(ace);
 				}
-			} else {
-	
-				ace = canon_ace_entry_for(dir_ace, SMB_ACL_OTHER, NULL);
-				if (ace && !ace->perms) {
-					DLIST_REMOVE(dir_ace, ace);
-					SAFE_FREE(ace);
-				}
-				ace = canon_ace_entry_for(dir_ace, SMB_ACL_GROUP_OBJ, NULL);
-				if (ace && !ace->perms) {
-					DLIST_REMOVE(dir_ace, ace);
-					SAFE_FREE(ace);
-				}
 			}
-	
+
 			num_acls = count_canon_ace_list(file_ace);
 			num_dir_acls = count_canon_ace_list(dir_ace);
 
@@ -2424,6 +2412,11 @@ size_t get_nt_acl(files_struct *fsp, uint32 security_info, SEC_DESC **ppdesc)
 		DEBUG(0,("get_nt_acl: Unable to malloc space for security descriptor.\n"));
 		sd_size = 0;
 	} else {
+#if 1
+		/*
+		 * JRA. Setting this flag causes W2K clients not to
+		 * propagate ACL sets down a directory tree correctly.
+		 */
 		/*
 		 * Windows 2000: The DACL_PROTECTED flag in the security
 		 * descriptor marks the ACL as non-inheriting, i.e., no
@@ -2434,6 +2427,7 @@ size_t get_nt_acl(files_struct *fsp, uint32 security_info, SEC_DESC **ppdesc)
 		 * flag doesn't seem to bother Windows NT.
 		 */
 		(*ppdesc)->type |= SE_DESC_DACL_PROTECTED;
+#endif
 	}
 
  done: