From b00d9d245390a54c5b057915472e0e8b3a7f6bb9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 20 Jun 2013 14:33:30 -0700 Subject: Use existing "acl map full control" parameter to control the adding of the DELETE_CHILD parameter on NFSv4/ZFS/GPFS file ACE's. Windows maps an open request of GENERIC_ALL on files to 0x1FF specific bits, which includes DELETE_CHILD even though this has no meaning on file ACE's. If a returned NFSv4 ACE entry for a file has all other specific bits set except for DELETE (which comes from the containing directory) and DELETE_CHILD (which has no meaning) then optionally add it into the returned ACE entry. This is using the same parameter in the same way as it is currently used in smbd/posix_acls.c. Note that as this parameter is on by default, it is already being tested in the existing raw.acl tests. Fixes issue with Microsoft SMB2 torture test suite found at the interop event in Redmond, WA. Signed-off-by: Jeremy Allison Reviewed-by: Ira Cooper --- source3/modules/nfs4_acls.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index 13e9268f80..255741c868 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -61,6 +61,7 @@ typedef struct _smbacl4_vfs_params { enum smbacl4_mode_enum mode; bool do_chown; enum smbacl4_acedup_enum acedup; + bool map_full_control; } smbacl4_vfs_params; /* @@ -94,11 +95,13 @@ static int smbacl4_get_vfs_params( params->acedup = (enum smbacl4_acedup_enum)lp_parm_enum( SNUM(conn), type_name, "acedup", enum_smbacl4_acedups, e_dontcare); + params->map_full_control = lp_acl_map_full_control(SNUM(conn)); - DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s\n", + DEBUG(10, ("mode:%s, do_chown:%s, acedup: %s map full control:%s\n", enum_smbacl4_modes[params->mode].name, params->do_chown ? "true" : "false", - enum_smbacl4_acedups[params->acedup].name)); + enum_smbacl4_acedups[params->acedup].name, + params->map_full_control ? "true" : "false")); return 0; } @@ -383,6 +386,18 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, ace->aceMask |= SMB_ACE4_DELETE_CHILD; } + if (!is_directory && params->map_full_control) { + /* + * Do we have all access except DELETE_CHILD + * (not caring about the delete bit). + */ + uint32_t test_mask = ((ace->aceMask|SMB_ACE4_DELETE|SMB_ACE4_DELETE_CHILD) & + SMB_ACE4_ALL_MASKS); + if (test_mask == SMB_ACE4_ALL_MASKS) { + ace->aceMask |= SMB_ACE4_DELETE_CHILD; + } + } + win_ace_flags = map_nfs4_ace_flags_to_windows_ace_flags( ace->aceFlags); if (!is_directory && -- cgit