[Samba] Permissions incorrectly ordered on Windows after disabling inheritance

Walkes, Dan dwalkes at tandbergdata.com
Thu Aug 30 23:25:40 MDT 2012 

On Thu, Aug 30, 2012 at 17:52:08, Jeremy Allison wrote:
> On Thu, Aug 30, 2012 at 05:09:10PM -0600, Walkes, Dan wrote:
> > On Wed, Aug 29, 2012 at 21:45:24, Jeremy Allison wrote:
> > > On Fri, Aug 24, 2012 at 11:08:53AM -0600, Walkes, Dan wrote:
> > > > Hi everyone,
> > > >
> > > > I've noticed a problem with Debian wheezy + samba 3.6.6 
> > > > configured with acl_xattr in my configuration.  The following 
> > > > test sequence causes Windows Explorer to report incorrectly 
> > > > ordered permission
> > entries:
> > > > 1)	Map a share as with "admin" user credentials  to a drive
letter
> > > > on a Windows client
> > > > 2)	Create a folder at the root of the share "rootfolder"
> > > > 3)	Create a subfolder "subfolder1" under "rootfolder"
> > > > 4)	Un-check "Include inheritable permissions from this
object's
> > > > parent" in the windows security settings dialog for Windows 
> > > > Explorer
> >
> > > > on the root folder
> > > > 5)	Create a subfolder "subfolder2" under "subfolder1"
> > > > 6)	Right-click with Windows Explorer and attempt to edit
the
> > > > permissions of "subfolder2".  Windows Explorer pops up a message

> > > > stating "The permissions on subfolder2 are incorrectly ordered, 
> > > > which may cause some entries to be ineffective."
> > >
> > > FYI, the complete and correct fix for this ifor 3.6.next s now
> > attached to bug :
> > >
> > > https://bugzilla.samba.org/show_bug.cgi?id=9124
> > >
> > > as a patch. Please test (it fixes the problem here). Thanks for 
> > > reporting this, the same code will go into master as soon as I've 
> > > finished wrestling with autobuild :-).
> > >
> >
> > Thanks Jeremy.  I've tested today.  I can confirm it fixes the 
> > incorrect ordering issue and sequence 1-6 works for me.  I can also 
> > confirm that after removing inheritance on a root folder from 
> > windows the I flag is set for all permissions on subfolders as 
> > expected.  I did notice however that in my case if I never modify 
> > permissions or change permissions from Windows Explorer the I flag 
> > is still not set on inherited permissions, at least with my
configuration.
> 
> Actually this is what you'd expect with a security descriptor type of
:
> CONTROL:0x8004
> 
> (SEC_DESC_SELF_RELATIVE          = 0x8000|
>  SEC_DESC_DACL_PRESENT           = 0x0004).
> 
> On Windows you'll probably have :
> 
> CONTROL:0x8404
> 
> (SEC_DESC_SELF_RELATIVE          = 0x8000|
>  SEC_DESC_DACL_AUTO_INHERITED    = 0x0400|
>  SEC_DESC_DACL_PRESENT           = 0x0004).
> 
> which explains the difference. If you set a security descriptor on 
> rootfolder/ from the Windows client and end up with CONTROL:0x8404, 
> then whenever you create subfolders/files below that you'll see the
"INHERITED"
> bit (that's what the patch solves).
> 
> Jeremy.

Yes this explains it.  Thanks for your help.

More information about the samba mailing list