[SCM] Samba Shared Repository - branch v4-11-test updated

Karolin Seeger kseeger at samba.org
Mon Aug 26 08:52:09 UTC 2019


The branch, v4-11-test has been updated
       via  c6d784debd8 vfs_glusterfs: Enable profiling for file system operations
       via  53f828969d0 vfs_glusterfs: initialize st_ex_file_id, st_ex_itime and st_ex_iflags
       via  900cc33accf vfs_default: use correct flag in vfswrap_fs_file_id
       via  756bea42e0c ctdb-tools: Drop 'o' option from getopts command
       via  80bd467affb ldb: Release ldb 2.0.6
       via  d819a1c2050 ldb: Free memory when repacking database
       via  18fb5fb911d ldb: Log the partition we're repacking
       via  1c2f1bd04ab ldb: Log pack format in user-friendly way
       via  6de3d8f7ce0 ldb: Change pack format defines to enum
       via  b99fff86ebb ldb: Move where we update the pack format version
       via  70726f2dfba ldb: Always log when the database pack format changes
       via  b3987205fe2 downgradedatabase: installing script
       via  309ec3b63c5 downgradedatabase: Add man-page documentation
       via  a1b3796b564 downgradedatabase: rename to samba_downgrade_db
       via  7a8f68f6150 tests: Avoid hardcoding relative filepath
       via  be508cda25d downgradedatabase: comply with samba.tests.source
       via  d18896d1998 vfs_gpfs: Implement special case for denying owner access to ACL
       via  39495b14cdd vfs_gpfs: Move mapping from generic NFSv ACL to GPFS ACL to separate function
       via  90ddc22ea55 docs: Remove gpfs:merge_writeappend from vfs_gpfs manpage
       via  7c90ecdb15c vfs_gpfs: Remove merge_writeappend parameter
       via  d186689038c nfs4_acls: Use correct owner information for ACL after owner change
       via  77052fbc65a nfs4_acls: Add test for merging duplicates when mapping from NFS4 ACL to DACL
       via  78d426fb0d4 nfs4_acls: Remove duplicate entries when mapping from NFS4 ACL to DACL
       via  7d40b00bac8 nfs4_acls: Rename smbacl4_fill_ace4 function
       via  8ac9c1f75f3 nfs4_acls: Add additional owner entry when mapping to NFS4 ACL with IDMAP_TYPE_BOTH
       via  01e913caf03 nfs4_acls: Remove redundant pointer variable
       via  b3aad3426a8 nfs4_acls: Remove redundant logging from smbacl4_fill_ace4
       via  693aa2dbfc8 nfs4_acls: Move adding of NFS4 ACE to ACL to smbacl4_fill_ace4
       via  d806dba002c nfs4_acls: Move smbacl4_MergeIgnoreReject function
       via  428579d3fde nfs4_acls: Remove i argument from smbacl4_MergeIgnoreReject
       via  d5965e3a43f nfs4_acls: Add missing braces in smbacl4_win2nfs4
       via  6661fecf267 nfs4_acls: Add helper function for checking INHERIT flags.
       via  e08f9b24097 nfs4_acls: Use correct type when checking ownerGID
       via  b1b8e37881f nfs4_acls: Use switch/case for checking idmap type
       via  6d88ab39e8e nfs4_acls: Use sids_to_unixids to lookup uid or gid
       via  0313f1552f9 test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with IDMAP_TYPE_BOTH
       via  7d73c37ae7b test_nfs4_acls: Add test for mapping from NFS4 ACL to DACL with IDMAP_TYPE_BOTH
       via  2de4919e8a3 test_nfs4_acls: Add test for mapping from NFS4 to DACL in config mode special
       via  d3a9648eb63 test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with config special
       via  4022997f030 test_nfs4_acls: Add test for matching DACL entries for acedup
       via  490d13557a4 test_nfs4_acls: Add test for acedup settings
       via  31d60e8cf2c test_nfs4_acls: Add test for 'map full control' option
       via  61002278b80 test_nfs4_acls: Add test for mapping from NFS4 to DACL CREATOR entries
       via  4e46dbc7749 test_nfs4_acls: Add test for mapping CREATOR entries to NFS4 ACL entries
       via  aa466a0104d test_nfs4_acls: Add test for mapping from DACL to special NFS4 ACL entries
       via  dda9e525c55 test_nfs4_acls: Add test for mapping of special NFS4 ACL entries to DACL entries
       via  368c370dc2f test_nfs4_acls: Add test for mapping permissions from DACL to NFS4 ACL
       via  014ae431e64 test_nfs4_acls: Add test for mapping permissions from NFS4 ACL to DACL
       via  ec532e3ed55 test_nfs4_acls: Add test for flags mapping from DACL to NFS4 ACL
       via  c1eb8ec5c33 test_nfs4_acls: Add test for flags mapping from NFS4 ACL to DACL
       via  4120b8dcbe8 test_nfs4_acls: Add tests for mapping of ACL types
       via  526da3f215a test_nfs4_acls: Add tests for mapping of empty ACLs
       via  88b0461ca0d selftest: Start implementing unit test for nfs4_acls
       via  9e82d8ae7fa nfs4_acls: Remove fsp from smbacl4_win2nfs4
       via  72d79334a53 Revert "nfs4acl: Fix owner mapping with ID_TYPE_BOTH"
      from  ea38596181c VERSION: Bump version up to 4.11.0rc3...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-test


- Log -----------------------------------------------------------------
commit c6d784debd8a9f9e576397a628de1e581aa7adbc
Author: Anoop C S <anoopcs at redhat.com>
Date:   Mon Aug 5 10:45:01 2019 +0530

    vfs_glusterfs: Enable profiling for file system operations
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14093
    
    Signed-off-by: Anoop C S <anoopcs at redhat.com>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Tue Aug 20 19:25:28 UTC 2019 on sn-devel-184
    
    Autobuild-User(v4-11-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-11-test): Mon Aug 26 08:51:55 UTC 2019 on sn-devel-184

commit 53f828969d0fde5cabd61e5a260a887c53fdc872
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Aug 14 10:11:15 2019 +0200

    vfs_glusterfs: initialize st_ex_file_id, st_ex_itime and st_ex_iflags
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14090
    RN: vfs_glusterfs: initialize st_ex_file_id, st_ex_itime and st_ex_iflags
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Fri Aug 16 01:07:23 UTC 2019 on sn-devel-184
    
    (cherry picked from commit 3ee78cc9979a72ebbe65a16c60967a1735a0d208)

commit 900cc33accf07f5c80c941b7dc74e374185e2808
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Aug 14 10:06:00 2019 +0200

    vfs_default: use correct flag in vfswrap_fs_file_id
    
    Luckily using the wrong flag ST_EX_IFLAG_CALCULATED_ITIME currently results in
    the same semantics as using the correct ST_EX_IFLAG_CALCULATED_FILE_ID, as in
    vfs_default the non-calculated file_id is based a non-calculated itime.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14089
    RN: vfs_default: use correct flag in vfswrap_fs_file_id
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 442a7c9ad8b020b2e88e41fea8a911d244023cb9)

commit 756bea42e0c051580330680dd6350cefb102a21c
Author: Martin Schwenke <martin at meltin.net>
Date:   Mon Aug 12 16:11:13 2019 +1000

    ctdb-tools: Drop 'o' option from getopts command
    
    Commit 90de5e0594b9180226b9a13293afe31f18576b3d remove the processing
    for this option but forgot to remove it from the getopts command.
    
    Versions of ShellCheck >= 0.4.7 warn on this, so it is worth fixing.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14086
    RN: Fix onnode test failure with ShellCheck >= 0.4.7
    Signed-off-by: Martin Schwenke <martin at meltin.net>
    Reviewed-by: Amitay Isaacs <amitay at gmail.com>
    (cherry picked from commit 758962a0d435fa595e3917b860a8fd266d122550)

commit 80bd467affbda1d962f4deb3caa8a42c6531425d
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Aug 23 12:02:05 2019 +1200

    ldb: Release ldb 2.0.6
    
     * log database repack so users know what is happening
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14059
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit d819a1c20503484b3624aeda426a37912a4ee692
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Wed Jul 31 10:54:29 2019 +1200

    ldb: Free memory when repacking database
    
    The msg for each database record is allocated on the module context, but
    never freed. The module seems like it could be a long-running context (as
    the database would normally get repacked by the samba executable).
    
    Even if it's not a proper leak, it shouldn't hurt to cleanup the memory.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14059
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    
    Autobuild-User(master): Garming Sam <garming at samba.org>
    Autobuild-Date(master): Tue Aug 20 04:57:10 UTC 2019 on sn-devel-184
    
    (cherry picked from commit b6516dbd24df8c78ed909c7ef9058b0844abb917)

commit 18fb5fb911d098701e4af732977310e48ed403a9
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Wed Jul 31 10:33:49 2019 +1200

    ldb: Log the partition we're repacking
    
    Firstly, with Samba AD this looks a little weird because we log the same
    message 5 times (once for every partition). If we log that we're doing
    this to records in different partitions, hopefully someone with a little
    Samba knowledge can figure out what's going on.
    
    Secondly, the info about what partitions are actually changing might be
    useful. E.g. if we hit a fatal error repacking the 3rd partition, and
    the transaction doesn't abort properly, then it would be useful to know
    what partitions were repacked and which ones weren't.
    
    There doesn't appear to be a useful name for the partition
    (ldb_kv->kv_ops->name() doesn't seem any more intelligible to a user),
    so just log the first record that we update. We can use that to infer
    the partition database).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14059
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    (cherry picked from commit ee6537c29e747206ee607493ce15d4532fb670c8)

commit 1c2f1bd04abbedb3cfb31bb4a0ee4292c21dacc4
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Tue Jul 30 16:40:55 2019 +1200

    ldb: Log pack format in user-friendly way
    
    The "format 0x26011968" log confused me (and I'm a developer).
    We can subtract the base offset from the pack format to get a more
    user-friendly number, e.g. v0 (not actually used), v1, v2, etc.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14059
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    (cherry picked from commit 5fee9388422e259c2a56e4dccbf44d22ba426ca3)

commit 6de3d8f7ce0f97810515b81f4da1a7cc1eb4a241
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Tue Jul 30 15:15:40 2019 +1200

    ldb: Change pack format defines to enum
    
    The main reason is so that any future pack formats will continue
    incrementing this number in a sequential fashion.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14059
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    (cherry picked from commit 38e3e7cd328edac302e95ac8839e858c4a225485)

commit b99fff86ebb64e31fd3577164f55246705511c3b
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Tue Jul 30 15:02:25 2019 +1200

    ldb: Move where we update the pack format version
    
    Store it on the repack context so that we can log a more informative
    message "Repacking from format x to format y".
    
    While this is not really a big deal currently, it could be worth
    recording for potential future scenarios (i.e. supporting three or more
    pack versions), where upgrades could potentially skip an intermediary
    pack format version.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14059
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    (cherry picked from commit d427bd6c775d8117504e76eed42cd2c383512e34)

commit 70726f2dfba3907ebc11b196aba61fe8358ac989
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Tue Jul 30 16:40:55 2019 +1200

    ldb: Always log when the database pack format changes
    
    LDB_DEBUG_WARNING gets logged by Samba as level 2, whereas the default
    log level for Samba is 0. It's not really fair to the user to change the
    format of their database on disk and potentially not tell them.
    
    This patch adds a log with level zero (using a alias define, as this
    technically isn't a fatal problem).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14059
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    (cherry picked from commit a2b0fc7c00360f37ed6819f21380294b70d4a195)

commit b3987205fe2770bd88ae5ee8e10a85cebf662ac0
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date:   Mon Jul 22 13:35:21 2019 +1200

    downgradedatabase: installing script
    
    Installing downgrade script so people don't need the source tree for it.
    
    Exception added in usage test because running the script without arguments
    is valid. (This avoids the need to knownfail it).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14059
    
    Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    (cherry picked from commit 6dcf00ba0a470ba25aabae06b409ec95404c246f)

commit 309ec3b63c5d9f441bcc922e62c2f6a2c2907f62
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date:   Mon Jul 22 13:35:21 2019 +1200

    downgradedatabase: Add man-page documentation
    
    A man-page is needed so that we can install this tool as part of the
    Samba package.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14059
    
    Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    (cherry picked from commit c89df3862b17fad9c4648b5d9c6805120d732df8)

commit a1b3796b5643d7d727964751efb19675d5ee42c7
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Mon Jul 29 13:39:04 2019 +1200

    downgradedatabase: rename to samba_downgrade_db
    
    Just so that it's slightly less of a mouthful for users.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14059
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    (cherry picked from commit fdaaee8d3aac77d91642a7d75d4bcd15d4df8657)

commit 7a8f68f615034c696e90f86eb1670f4b100300fc
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Mon Jul 29 13:35:08 2019 +1200

    tests: Avoid hardcoding relative filepath
    
    If we move the test file, the test will break.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14059
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    (cherry picked from commit a8cdbe0b824f57f73eee09143148f009a9c58582)

commit be508cda25d97b825fef3d605938faa3726cde44
Author: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Date:   Mon Jul 22 15:29:03 2019 +1200

    downgradedatabase: comply with samba.tests.source
    
    In next commit we'll install the script, samba.tests.source picked up the
    lack of a copyright message and some whitespace errors, so this patch
    fixes that stuff first.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14059
    
    Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    (cherry picked from commit c4aebb15001c830a46d5a6ad8ea11a6f9ea4fd04)

commit d18896d19988b1096849c00a80dda42a727d5c4c
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 9 13:39:55 2019 -0700

    vfs_gpfs: Implement special case for denying owner access to ACL
    
    In GPFS, it is not possible to deny ACL or attribute access through a
    SPECIAL_OWNER entry. The best that can be done is mapping this to a
    named user entry, as this one can at least be stored in an ACL. The same
    cannot be done for inheriting SPECIAL_OWNER entries, as these represent
    CREATOR OWNER entries, and the limitation of not being able to deny
    owner access to ACL or attributes remains.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit c1770ed96fd3137f45d584ba9328333d5505e3af)

commit 39495b14cdd228c842666222952ad789e63977ef
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 9 13:08:35 2019 -0700

    vfs_gpfs: Move mapping from generic NFSv ACL to GPFS ACL to separate function
    
    This is not functional change. It cleans up the code a bit and makes
    expanding this codepath in a later patch easier.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit fbf3a090a9ec94262b2924461cc1d6336af9919c)

commit 90ddc22ea5552b7d3a2c4cc7cb1b75e3ef1e52f2
Author: Christof Schmitt <cs at samba.org>
Date:   Wed Jul 10 11:06:19 2019 -0700

    docs: Remove gpfs:merge_writeappend from vfs_gpfs manpage
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 8bd79ecc37376dbaa35606f9c2777653eb3d55e3)

commit 7c90ecdb15cc6d572a37c2d435b6c7d86559d944
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 9 12:04:35 2019 -0700

    vfs_gpfs: Remove merge_writeappend parameter
    
    All supported GPFS versions now support setting WRITE and APPEND in the
    ACLs independently. Remove this now unused parameter to simplify the
    code.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 0aca678fcf1788a76cf0ff11399211c795aa7d2f)

commit d186689038c5f807b092f63d7f89fd6b6dd95241
Author: Christof Schmitt <cs at samba.org>
Date:   Wed Jul 17 15:29:06 2019 -0700

    nfs4_acls: Use correct owner information for ACL after owner change
    
    After a chown, the cached stat data is obviously no longer valid. The
    code in smb_set_nt_acl_nfs4 checked the file correctly, but did only use
    a local buffer for the stat data. So later checks of the stat buffer
    under the fsp->fsp_name->st would still see the old information.
    
    Fix this by removing the local stat buffer and always update the one
    under fsp->fsp_name->st.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 86f7af84f04b06ed96b30f936ace92aa0937be06)

commit 77052fbc65a375dc5a3dda4ac9d212b808ca802f
Author: Christof Schmitt <cs at samba.org>
Date:   Wed Jul 10 13:14:32 2019 -0700

    nfs4_acls: Add test for merging duplicates when mapping from NFS4 ACL to DACL
    
    The previous patch introduced merging of duplicates on the mapping path
    from NFS4 ACL entries to DACL entries. Add a testcase to verify the
    expected behavior of this codepath.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 1a137a2f20c2f159c5feaef230a2b85bb9fb23b5)

commit 78d426fb0d4f9332e9c0a084993b5f2f5e0cdc40
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 15:08:11 2019 -0700

    nfs4_acls: Remove duplicate entries when mapping from NFS4 ACL to DACL
    
    The previous patch added an additional entry for IDMAP_TYPE_BOTH. When
    mapping back to a DACL, there should be no additional entry. Add a loop
    that will check and remove entries that are exact duplicates.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 9c88602128592ddad537bf70cbe3c51f0b2cebe5)

commit 7d40b00bac82d8cd185850aa1b8a13c5f79848d7
Author: Christof Schmitt <cs at samba.org>
Date:   Thu Jul 18 11:49:29 2019 -0700

    nfs4_acls: Rename smbacl4_fill_ace4 function
    
    As this function now maps the ACE and also adds it to the NFSv4 ACE,
    change the name to better describe its behavior.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 169812943de23cf2752289c63331d786b0b063bd)

commit 8ac9c1f75f3f01370c9dba5d570f95c48e2029b4
Author: Christof Schmitt <cs at samba.org>
Date:   Wed Jul 17 10:49:47 2019 -0700

    nfs4_acls: Add additional owner entry when mapping to NFS4 ACL with IDMAP_TYPE_BOTH
    
    With IDMAP_TYPE_BOTH, all entries have to be mapped to group entries.
    In order to have the file system reflect the owner permissions in the
    POSIX modebits, create a second entry for the user. This will be mapped
    to the "special owner" entry.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit b796119e2df38d1935064556934dd10da6f3d339)

commit 01e913caf03078b06592f6b66b737223896b4385
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 16 15:56:12 2019 -0700

    nfs4_acls: Remove redundant pointer variable
    
    The previous patch introduced a pointer to a local variable to reduce
    the amount of lines changed. Remove that pointer and adjust all usage
    accordingly.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit aa4644193635d846c2e08e8c1e7b512e8009c2ef)

commit b3aad3426a87d41e0fc51129a9ef2d22a4e86ab3
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 16 15:50:36 2019 -0700

    nfs4_acls: Remove redundant logging from smbacl4_fill_ace4
    
    Logging flags in case they do not match seems unnecessary. Other log
    messages should show the flags as well.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 7ab0003ffc098247c3ee3962d7061f2af5a2d00e)

commit 693aa2dbfc84631be913a364dad57a12dae3c5ba
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 16 15:30:36 2019 -0700

    nfs4_acls: Move adding of NFS4 ACE to ACL to smbacl4_fill_ace4
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit abb58b17599bd3f9a06037e208dcc5033c7fdd8b)

commit d806dba002c7ebe50e6b74fe2d43daadd0bbf05f
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 16 15:20:25 2019 -0700

    nfs4_acls: Move smbacl4_MergeIgnoreReject function
    
    This static function will be called earlier in later patches.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 3499d97463110f042415d917160bc2743805a544)

commit 428579d3fde2241a6280fae704dfda030397ff9c
Author: Christof Schmitt <cs at samba.org>
Date:   Mon Jul 15 14:43:01 2019 -0700

    nfs4_acls: Remove i argument from smbacl4_MergeIgnoreReject
    
    This is only used for logging of a rejected ACL, but does not provide
    additional useful information. Remove it to simplify the function a bit.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 44790721e4f2c6ee6f46de7ac88123ce1a9f6e39)

commit d5965e3a43f097a04d6ef14467f31b0c1d05a3b9
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 13:20:44 2019 -0700

    nfs4_acls: Add missing braces in smbacl4_win2nfs4
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit ba73d2363d93a376ba4947963c9de45a7e683f02)

commit 6661fecf2676fc0ff30a86a2332be95fa76f89ed
Author: Christof Schmitt <cs at samba.org>
Date:   Wed Jun 26 13:20:17 2019 -0700

    nfs4_acls: Add helper function for checking INHERIT flags.
    
    This avoids some code duplication. Do not make this static, as it will
    be used in a later patch.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmit <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 336e8668c1cc3682cb3c198eb6dc49baf522a79a)

commit e08f9b24097f8b5d08dcca3ee98017b114fcea99
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jun 25 15:21:06 2019 -0700

    nfs4_acls: Use correct type when checking ownerGID
    
    uid and gid are members of the same union so this makes no difference,
    but for type correctness and readability use the gid to check for
    ownerGID.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 3b3d722ce579c19c7b08d06a3adea275537545dc)

commit b1b8e37881f5583f5b7770c46a8db4162e614884
Author: Christof Schmitt <cs at samba.org>
Date:   Mon Jul 15 13:15:32 2019 -0700

    nfs4_acls: Use switch/case for checking idmap type
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit f198a0867e71f248d4887ab0b6f2832123b16d11)

commit 6d88ab39e8ed469a9279870d88b28c568ce3a687
Author: Christof Schmitt <cs at samba.org>
Date:   Wed Jun 26 13:24:16 2019 -0700

    nfs4_acls: Use sids_to_unixids to lookup uid or gid
    
    This is the newer API to lookup id mappings and will make it easier to
    add to the IDMAP_TYPE_BOTH case.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit d9a2ff559e1ad953141b1118a9e370496f1f61fa)

commit 0313f1552f9665ed485aa2c7224f491be8511eff
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 13:04:44 2019 -0700

    test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with IDMAP_TYPE_BOTH
    
    When id mappings use IDMAP_TYPE_BOTH, the NFSv4 ACL mapping code is not
    aware whether a particular entry is for a user or a group. The
    underlying assumption then is that is should not matter, as both the ACL
    mapping maps everything to NFSv4 ACL group entries and the user's token
    will contain gid entries for the groups.
    
    Add a testcase to verify that when mapping from DACLS to NFSv4 ACL
    entries with IDMAP_TYPE_BOTH, all entries are mapped as expected.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 38331b00521ef764893a74add01758f14567d901)

commit 7d73c37ae7bbc102dab469f5709b1a54de7a0a74
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 12:50:42 2019 -0700

    test_nfs4_acls: Add test for mapping from NFS4 ACL to DACL with IDMAP_TYPE_BOTH
    
    When id mappings use IDMAP_TYPE_BOTH, the NFSv4 ACL mapping code is not
    aware whether a particular entry is for a user or a group. The
    underlying assumption then is that is should not matter, as both the ACL
    mapping maps everything to NFSv4 ACL group entries and the user's token
    will contain gid entries for the groups.
    
    Add a testcase to verify that when mapping from NFSv4 ACL entries to
    DACLs with IDMAP_TYPE_BOTH, all entries are mapped as expected.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 86480410aec1d2331c65826a13f909492165a291)

commit 2de4919e8a33334cf7c10b9aa407f4c7cff4e53d
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 12:23:02 2019 -0700

    test_nfs4_acls: Add test for mapping from NFS4 to DACL in config mode special
    
    The mapping code between NFSv4 ACLs and security descriptors still has
    the deprecated config setting "nfs4:mode = special". This should not be
    used as it has security problems: All entries matching owner or group
    are mapped to "special owner" or "special group", which can change its
    meaning when being inherited to a new file or directory with different
    owner and owning group.
    
    This mode should eventually be removed, but as long as it still exists
    add testcases to verify the expected behavior. This patch adds the
    testcase for "nfs4:mode = special" when mapping from the NFS4 ACL to the
    DACL in the security descriptor.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 829c5ea99685c0629fd67ed0528897534ff35b36)

commit d3a9648eb63a0624ba2c500ab0a1c477140912ec
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 12:16:08 2019 -0700

    test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with config special
    
    The mapping code between NFSv4 ACLs and security descriptors still has
    the deprecated config setting "nfs4:mode = special". This should not be
    used as it has security problems: All entries matching owner or group
    are mapped to "special owner" or "special group", which can change its
    meaning when being inherited to a new file or directory with different
    owner and owning group.
    
    This mode should eventually be removed, but as long as it still exists
    add testcases to verify the expected behavior. This patch adds the
    testcase for "nfs4:mode = special" when mapping from the DACL in the
    security descriptor to the NFSv4 ACL.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 7ae06d96eb59722154d30e21949f9dba4f2f0bc6)

commit 4022997f0305ff39db9af2ecb24bd1a2aa9ee0a6
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 12:09:04 2019 -0700

    test_nfs4_acls: Add test for matching DACL entries for acedup
    
    The NFSv4 mapping code has a config option nfs4:acedup for the mapping
    path from DACLs to NFSv4 ACLs. Part of this codepath is detecting
    duplicate ACL entries. Add a testcase with different ACL entries and
    verify that only exactly matching entries are detected as duplicates and
    treated accordingly.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit f55cdf42a14f314102f2e13cb06d4db48c08ad4b)

commit 490d13557a4c2bd7046c85080930c0fc9d0d7ee0
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 12:07:36 2019 -0700

    test_nfs4_acls: Add test for acedup settings
    
    The NFSv4 ACL mapping code has a setting nfs4:acedup. Depending on the
    setting, when mapping from DACLs to NFSv4 ACLs, duplicate ACL entries
    are either merged, ignored or rejected. Add a testcase that has
    duplicate ACL entries and verify the expected behavior for all possible
    settings of the nfs4:acedup option.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 9671bf2b9f055012057620207624aa2f4ea6833e)

commit 31d60e8cf2c27e7c05f18b087db5c5aa48075b79
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 12:02:58 2019 -0700

    test_nfs4_acls: Add test for 'map full control' option
    
    "map full control" when enabled adds the DELETE_CHILD permission, when
    all other permissions are present. This allows Windows clients to
    display the "FULL CONTROL" permissions.
    
    Add a testcase that verifies this mapping when mapping from NFSv4 ACL to
    the DACL in the security descriptor. Also verify that switching the
    option off disables this behavior.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 30677df4dac4ebfcf4e3198db33f14be37948197)

commit 61002278b801a1d5814954c44371e73d0a2eee43
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 11:57:45 2019 -0700

    test_nfs4_acls: Add test for mapping from NFS4 to DACL CREATOR entries
    
    Add testcase for mapping from NFSv4 ACL entries for "special owner" and
    "special group" to DACL entries in the security descriptor. Each NFSv4
    entry here with INHERIT_ONLY maps directly to a CREATOR OWNER or CREATOR
    GROUP entry in the DACL. Entries without INHERIT_ONLY map to the CREATOR
    entry and an additional explicit entry granting permission on the
    current object.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 3c9cda0f6d80258ef0c2a80d6e24dfb650fea1b1)

commit 4e46dbc7749753b9d6d89ef9aa995cb49e53969a
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 11:55:59 2019 -0700

    test_nfs4_acls: Add test for mapping CREATOR entries to NFS4 ACL entries
    
    Add testcase for mapping DACL entries CREATOR OWNER and CREATOR GROUP
    with inheritance flag in the security descriptor to NFSv4 "special
    owner" and "special group" entries. This is the correct mapping for
    these entries as inheriting "special owner" and "special group" grants
    permissions to the actual owner and owning group of the new file or
    directory, similar to what CREATOR entries do.
    
    The other side is that CREATOR entries without any inheritance flags do
    not make sense, so these are not mapped to NFSv4 ACL entries.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit bfcc19b705f83bdd5cf665fd4daf43e7eae997a9)

commit aa466a0104d95f0a512c5d740df1c17a06116bd4
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 11:53:15 2019 -0700

    test_nfs4_acls: Add test for mapping from DACL to special NFS4 ACL entries
    
    Add testcase for mapping from entries in the DACL security descriptor to
    "special" entries in the NFSv4 ACL. Verify that the WORLD well-known SID
    maps to "everyone" in the NFSv4 ACL. Verify that the "Unix NFS" SID is
    ignored, as there is no meaningful mapping for this entry. Verify that
    SID entries matching the owner or group are mapped to "special owner"
    or "special group", but only if no inheritance flags are used. "special
    owner" and "special group" with inheritance flags have the meaning of
    CREATOR OWNER and CREATOR GROUP and will be tested in another testcase.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 1f1fa5bde2c76636c1beec39c21067b252ea10be)

commit dda9e525c55c3602060fffc773e1d31b524ba93f
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 11:46:23 2019 -0700

    test_nfs4_acls: Add test for mapping of special NFS4 ACL entries to DACL entries
    
    In addition to entries for users and groups, NFSv4 ACLs have the concept
    of entries for "special" entries. Only the "owner", "group" and
    "everyone" entries are currently used in the ACL mapping.
    
    Add a testcase that verifies the mapping from NFSv4 "special" entries to
    the DACL in the security descriptor. Verify that only "owner", "group"
    and "everyone" are mapped and all other "special" entries are ignored.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit f86148948c7f89307a34e31f6ddede6923149d34)

commit 368c370dc2f82b03da2e910e1116f5afee064c29
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 11:35:34 2019 -0700

    test_nfs4_acls: Add test for mapping permissions from DACL to NFS4 ACL
    
    Add testcase for mapping the permission flags from the DACL in the
    Security Descriptor to a NFSv4 ACL. The mapping is straight-forward as
    the same permission bits exist for Security Descriptors and NFSv4 ACLs.
    In addition, the code also maps from the generic DACL permissions to a
    set of NFSv4 permissions, also verify this mapping.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit e4840e680744bd860beedeb5123704c3c0d6a4d7)

commit 014ae431e64166de6c97660cfbfc6c90c52b532e
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 11:33:29 2019 -0700

    test_nfs4_acls: Add test for mapping permissions from NFS4 ACL to DACL
    
    Add testcase for mapping permissions from the NFSv4 ACL to DACL in the
    security descriptor. The mapping is simple as each permission bit exists
    on both sides.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 1767027b44a9e4ebd865022e3f8abb0c72bf15c6)

commit ec532e3ed55d94252a23639aad6937118fcf68f1
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 11:30:12 2019 -0700

    test_nfs4_acls: Add test for flags mapping from DACL to NFS4 ACL
    
    Add testcase for the mapping of inheritance flags from the DACL in the
    security descriptor to the NFSv4 ACL. The mapping is different for files
    and directories as some inheritance flags should not be present for
    files. Also other flags are not mapped at all, verify this behavior.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit bccd2612761e26ee2514935d56927b2c0c000859)

commit c1eb8ec5c3313cebee8dc4ea3643459ced76a2b1
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 11:28:31 2019 -0700

    test_nfs4_acls: Add test for flags mapping from NFS4 ACL to DACL
    
    Add testcase for the mapping of inheritance flags when mapping from a
    NFSv4 ACL to a DACL in the security descriptor. The mapping is different
    between files and directories, as some inheritance flags should never be
    present for files. Some defined flags like SUCCESSFUL_ACCESS are also
    not mapped at this point, also verify this behavior.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 16eb61a900c6749c2554d635ce2dd903f5de1704)

commit 4120b8dcbe8e8de5cb4db7e09a8916f4ab4d4493
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 11:25:33 2019 -0700

    test_nfs4_acls: Add tests for mapping of ACL types
    
    Add testcases for mapping the type field (ALLOW or DENY) between NFSv4
    ACLs and security descriptors.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit dd5934797526ebb4c6f3027a809401dad3abf701)

commit 526da3f215a12dca398ad6c615541e5edb359dae
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 11:23:40 2019 -0700

    test_nfs4_acls: Add tests for mapping of empty ACLs
    
    This is a fairly simple test that ensures the mapping of empty ACLs
    (without any ACL entries) is always done the same way.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 00f494b25f4e1d1aecf6191523e30f20a90b1e4f)

commit 88b0461ca0d120d39e10a8765d2f25429ef2faab
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jul 2 11:22:13 2019 -0700

    selftest: Start implementing unit test for nfs4_acls
    
    Existing smbtorture tests set and query ACLs through SMB, only working
    with the DACLs in the Security Descriptors, but never check the NFSv4
    ACL representation. This patch introduces a unit test to verify the
    mapping between between Security Descriptors and NFSv4 ACLs. As the
    mapping code queries id mappings, the id mapping cache is first primed
    with the mappings used by the tests and those mappings are removed again
    during teardown.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 8fb906a1860452a320c79ac87917a97303729c19)

commit 9e82d8ae7fa94228656e9a82d5a7d41d5cb0a4e3
Author: Christof Schmitt <cs at samba.org>
Date:   Tue Jun 11 16:15:10 2019 -0700

    nfs4_acls: Remove fsp from smbacl4_win2nfs4
    
    Only the information whether the ACL is for a file or a directory is
    required. Replacing the fsp with a flag is clearer and allows for unit
    testing of the mapping functions.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit a06486bb110d04a90b66a0bca4b1b600ef3c0ebf)

commit 72d79334a53917bd3ee6521bcea2a551906712da
Author: Christof Schmitt <cs at samba.org>
Date:   Fri Jun 7 12:55:32 2019 -0700

    Revert "nfs4acl: Fix owner mapping with ID_TYPE_BOTH"
    
    This reverts commit 5d4f7bfda579cecb123cfb1d7130688f1d1c98b7.
    
    That patch broke the case with ID_TYPE_BOTH where a file is owned by a
    group (e.g. using autorid and having a file owned by
    BUILTIN\Administrators). In this case, the ACE entry for the group gets
    mapped a to a user ACL entry and the group no longer has access (as in
    the user's token the group is not mapped to a uid).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032
    
    Signed-off-by: Christof Schmitt <cs at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 42bd3a72a2525aa8a918f4bf7067b30ce8e0e197)

-----------------------------------------------------------------------

Summary of changes:
 ctdb/tools/onnode                                  |    2 +-
 docs-xml/manpages/samba_downgrade_db.8.xml         |   95 +
 docs-xml/manpages/vfs_gpfs.8.xml                   |   20 -
 docs-xml/wscript_build                             |    1 +
 lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.0.6.sigs}     |    0
 ...yldb-util-1.1.10.sigs => pyldb-util-2.0.6.sigs} |    0
 lib/ldb/include/ldb.h                              |    3 +
 lib/ldb/include/ldb_module.h                       |   13 +-
 lib/ldb/ldb_key_value/ldb_kv.c                     |    2 -
 lib/ldb/ldb_key_value/ldb_kv.h                     |    1 +
 lib/ldb/ldb_key_value/ldb_kv_index.c               |   25 +-
 lib/ldb/wscript                                    |    2 +-
 python/samba/tests/blackbox/downgradedatabase.py   |    4 +-
 python/samba/tests/usage.py                        |    2 +
 selftest/knownfail.d/usage                         |    1 -
 source3/modules/nfs4_acls.c                        |  361 ++--
 source3/modules/nfs4_acls.h                        |    2 +
 source3/modules/test_nfs4_acls.c                   | 1898 ++++++++++++++++++++
 source3/modules/vfs_default.c                      |    2 +-
 source3/modules/vfs_glusterfs.c                    |  341 +++-
 source3/modules/vfs_gpfs.c                         |  121 +-
 source3/modules/wscript_build                      |    5 +
 source3/selftest/tests.py                          |    4 +
 .../{sambadowngradedatabase => samba_downgrade_db} |   26 +-
 source4/scripting/bin/wscript_build                |    3 +-
 source4/scripting/wscript_build                    |    2 +-
 26 files changed, 2654 insertions(+), 282 deletions(-)
 create mode 100644 docs-xml/manpages/samba_downgrade_db.8.xml
 copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.0.6.sigs} (100%)
 copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-2.0.6.sigs} (100%)
 create mode 100644 source3/modules/test_nfs4_acls.c
 rename source4/scripting/bin/{sambadowngradedatabase => samba_downgrade_db} (77%)


Changeset truncated at 500 lines:

diff --git a/ctdb/tools/onnode b/ctdb/tools/onnode
index e143ba2d4d4..d6595fff4aa 100755
--- a/ctdb/tools/onnode
+++ b/ctdb/tools/onnode
@@ -72,7 +72,7 @@ parse_options ()
 {
 	local opt
 
-	while getopts "cf:hno:pqvPi?" opt ; do
+	while getopts "cf:hnpqvPi?" opt ; do
 		case "$opt" in
 		c) current=true ;;
 		f) ctdb_nodes_file="$OPTARG" ;;
diff --git a/docs-xml/manpages/samba_downgrade_db.8.xml b/docs-xml/manpages/samba_downgrade_db.8.xml
new file mode 100644
index 00000000000..7b0c822cf21
--- /dev/null
+++ b/docs-xml/manpages/samba_downgrade_db.8.xml
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="samba_downgrade_db.8">
+
+<refmeta>
+	<refentrytitle>samba_downgrade_db</refentrytitle>
+	<manvolnum>8</manvolnum>
+	<refmiscinfo class="source">Samba</refmiscinfo>
+	<refmiscinfo class="manual">User Commands</refmiscinfo>
+	<refmiscinfo class="version">&doc.version;</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+	<refname>samba_downgrade_db</refname>
+	<refpurpose>Samba tool for downgrading AD databases
+	</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+	<cmdsynopsis>
+		<command>samba_downgrade_db</command>
+		<arg choice="opt">-H</arg>
+		<arg choice="opt">-s</arg>
+	</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+	<title>DESCRIPTION</title>
+	<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> suite.</para>
+
+	<para>The format of the Samba Active Directory (AD) database changed in
+	version 4.8 and 4.11. When downgrading a Samba AD Domain Controller (DC)
+	to a release that is older than either of these versions (e.g. 4.11 to
+	4.10), the AD database must be manually downgraded
+	<emphasis>before</emphasis> the Samba packages can be safely downgraded.
+	</para>
+
+	<para>This tool downgrades a Samba sam.ldb database from the format
+	used in version &doc.version; to that of version 4.7. The v4.7 database
+	format can safely be read by any version of Samba. If necessary, later
+	versions of Samba will repack and reconfigure a v4.7-format database when
+	the samba executable is first started.</para>
+
+	<para>Note that all Samba services must be stopped on the DC before running
+	this tool. Once the tool has run, do not restart samba or modify the
+	database before the Samba software package has been downgraded.
+	</para>
+</refsect1>
+
+<refsect1>
+	<title>OPTIONS</title>
+
+	<variablelist>
+
+	<varlistentry>
+	<term>-H [sam.ldb file]</term>
+	<listitem><para>
+	Link directly to a sam.ldb file instead of using path in system
+	smb.conf
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>-s [smb.conf file]</term>
+	<listitem><para>
+	Link directly to smb.conf file instead of system default (usually
+	in /usr/local/samba/etc/smb.conf)
+	</para></listitem>
+	</varlistentry>
+
+	</variablelist>
+</refsect1>
+
+<refsect1>
+	<title>VERSION</title>
+
+	<para>This man page is complete for version &doc.version; of the Samba
+	suite.</para>
+</refsect1>
+
+<refsect1>
+	<title>AUTHOR</title>
+
+	<para>The original Samba software and related utilities
+	were created by Andrew Tridgell. Samba is now developed
+	by the Samba Team as an Open Source project similar
+	to the way the Linux kernel is developed.</para>
+
+	<para>The samba_downgrade_db tool was developed by the Samba team
+	at Catalyst IT Ltd.</para>
+</refsect1>
+
+</refentry>
diff --git a/docs-xml/manpages/vfs_gpfs.8.xml b/docs-xml/manpages/vfs_gpfs.8.xml
index 2f3b4274e4b..fb1f5bb2237 100644
--- a/docs-xml/manpages/vfs_gpfs.8.xml
+++ b/docs-xml/manpages/vfs_gpfs.8.xml
@@ -204,26 +204,6 @@
 		</varlistentry>
 		<varlistentry>
 
-		<term>gpfs:merge_writeappend = [ yes | no ]</term>
-		<listitem>
-		<para>
-		GPFS ACLs doesn't know about the 'APPEND' right.
-		This option lets Samba map the 'APPEND' right to 'WRITE'.
-		</para>
-
-		<itemizedlist>
-		<listitem><para>
-		<command>yes(default)</command> - map 'APPEND' to 'WRITE'.
-		</para></listitem>
-		<listitem><para>
-		<command>no</command> - do not map 'APPEND' to 'WRITE'.
-		</para></listitem>
-		</itemizedlist>
-		</listitem>
-
-		</varlistentry>
-		<varlistentry>
-
 		<term>gpfs:acl = [ yes | no ]</term>
 		<listitem>
 		<para>
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
index 575fb702b46..3dad0a21313 100644
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@@ -31,6 +31,7 @@ manpages='''
          manpages/samba-tool.8
          manpages/samba.7
          manpages/samba.8
+         manpages/samba_downgrade_db.8
          manpages/sharesec.1
          manpages/smbcacls.1
          manpages/smbclient.1
diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.0.6.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-2.0.5.sigs
copy to lib/ldb/ABI/ldb-2.0.6.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util-2.0.6.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util-2.0.6.sigs
diff --git a/lib/ldb/include/ldb.h b/lib/ldb/include/ldb.h
index f06d5e95528..3cba0f4d543 100644
--- a/lib/ldb/include/ldb.h
+++ b/lib/ldb/include/ldb.h
@@ -220,6 +220,9 @@ struct tevent_context;
 enum ldb_debug_level {LDB_DEBUG_FATAL, LDB_DEBUG_ERROR,
 		      LDB_DEBUG_WARNING, LDB_DEBUG_TRACE};
 
+/* alias for something that's not a fatal error but we really want to log */
+#define LDB_DEBUG_ALWAYS_LOG  LDB_DEBUG_FATAL
+
 /**
   the user can optionally supply a debug function. The function
   is based on the vfprintf() style of interface, but with the addition
diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h
index ab3d25c5c6e..8c1e5ee7936 100644
--- a/lib/ldb/include/ldb_module.h
+++ b/lib/ldb/include/ldb_module.h
@@ -559,12 +559,15 @@ int ldb_unpack_get_format(const struct ldb_val *data,
 #define LDB_UNPACK_DATA_FLAG_NO_ATTRS        0x0008
 #define LDB_UNPACK_DATA_FLAG_READ_LOCKED     0x0010
 
-/* In-use packing formats */
-#define LDB_PACKING_FORMAT 0x26011967
-#define LDB_PACKING_FORMAT_V2 0x26011968
+enum ldb_pack_format {
 
-/* Old packing formats */
-#define LDB_PACKING_FORMAT_NODN 0x26011966
+	/* Old packing format (based on a somewhat arbitrary date) */
+	LDB_PACKING_FORMAT_NODN = 0x26011966,
+
+	/* In-use packing formats */
+	LDB_PACKING_FORMAT,
+	LDB_PACKING_FORMAT_V2
+};
 
 /**
  Forces a specific ldb handle to use the global event context.
diff --git a/lib/ldb/ldb_key_value/ldb_kv.c b/lib/ldb/ldb_key_value/ldb_kv.c
index f768fb5e1e4..4e7b8a116b3 100644
--- a/lib/ldb/ldb_key_value/ldb_kv.c
+++ b/lib/ldb/ldb_key_value/ldb_kv.c
@@ -315,8 +315,6 @@ static int ldb_kv_maybe_repack(struct ldb_kv_private *ldb_kv) {
 	    ldb_kv->target_pack_format_version) {
 		int r;
 		struct ldb_context *ldb = ldb_module_get_ctx(ldb_kv->module);
-		ldb_kv->pack_format_version =
-			ldb_kv->target_pack_format_version;
 		r = ldb_kv_repack(ldb_kv->module);
 		if (r != LDB_SUCCESS) {
 			ldb_debug(ldb, LDB_DEBUG_ERROR,
diff --git a/lib/ldb/ldb_key_value/ldb_kv.h b/lib/ldb/ldb_key_value/ldb_kv.h
index e627644ba34..f9dffae2dcf 100644
--- a/lib/ldb/ldb_key_value/ldb_kv.h
+++ b/lib/ldb/ldb_key_value/ldb_kv.h
@@ -175,6 +175,7 @@ struct ldb_kv_repack_context {
 	int error;
 	uint32_t count;
 	bool normal_record_seen;
+	uint32_t old_version;
 };
 
 
diff --git a/lib/ldb/ldb_key_value/ldb_kv_index.c b/lib/ldb/ldb_key_value/ldb_kv_index.c
index ef275b28013..0853b28fe40 100644
--- a/lib/ldb/ldb_key_value/ldb_kv_index.c
+++ b/lib/ldb/ldb_key_value/ldb_kv_index.c
@@ -3526,6 +3526,18 @@ static int re_index(struct ldb_kv_private *ldb_kv,
 	return 0;
 }
 
+/*
+ * Convert the 4-byte pack format version to a number that's slightly
+ * more intelligible to a user e.g. version 0, 1, 2, etc.
+ */
+static uint32_t displayable_pack_version(uint32_t version) {
+	if (version < LDB_PACKING_FORMAT_NODN) {
+		return version; /* unknown - can't convert */
+	}
+
+	return (version - LDB_PACKING_FORMAT_NODN);
+}
+
 static int re_pack(struct ldb_kv_private *ldb_kv,
 		   _UNUSED_ struct ldb_val key,
 		   struct ldb_val val,
@@ -3571,9 +3583,12 @@ static int re_pack(struct ldb_kv_private *ldb_kv,
 	 * want to spam the log.
 	 */
 	if ((!ctx->normal_record_seen) && (!ldb_dn_is_special(msg->dn))) {
-		ldb_debug(ldb, LDB_DEBUG_WARNING,
-			  "Repacking database with format %#010x",
-			  ldb_kv->pack_format_version);
+		ldb_debug(ldb, LDB_DEBUG_ALWAYS_LOG,
+			  "Repacking database from v%u to v%u format "
+			  "(first record %s)",
+			  displayable_pack_version(ctx->old_version),
+			  displayable_pack_version(ldb_kv->pack_format_version),
+			  ldb_dn_get_linearized(msg->dn));
 		ctx->normal_record_seen = true;
 	}
 
@@ -3584,6 +3599,7 @@ static int re_pack(struct ldb_kv_private *ldb_kv,
 			  ctx->count);
 	}
 
+	talloc_free(msg);
 	return 0;
 }
 
@@ -3595,10 +3611,13 @@ int ldb_kv_repack(struct ldb_module *module)
 	struct ldb_kv_repack_context ctx;
 	int ret;
 
+	ctx.old_version = ldb_kv->pack_format_version;
 	ctx.count = 0;
 	ctx.error = LDB_SUCCESS;
 	ctx.normal_record_seen = false;
 
+	ldb_kv->pack_format_version = ldb_kv->target_pack_format_version;
+
 	/* Iterate all database records and repack them in the new format */
 	ret = ldb_kv->kv_ops->iterate(ldb_kv, re_pack, &ctx);
 	if (ret < 0) {
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 61f6b664902..a63a6c2171f 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 APPNAME = 'ldb'
-VERSION = '2.0.5'
+VERSION = '2.0.6'
 
 import sys, os
 
diff --git a/python/samba/tests/blackbox/downgradedatabase.py b/python/samba/tests/blackbox/downgradedatabase.py
index a5e540c1354..3d230609efc 100644
--- a/python/samba/tests/blackbox/downgradedatabase.py
+++ b/python/samba/tests/blackbox/downgradedatabase.py
@@ -23,8 +23,8 @@ import shutil
 from subprocess import check_output
 from samba.samdb import SamDB
 
-COMMAND = os.path.join(os.path.dirname(__file__),
-               "../../../../../source4/scripting/bin/sambadowngradedatabase")
+COMMAND = os.path.join(os.environ.get("SRCDIR_ABS"),
+               "source4/scripting/bin/samba_downgrade_db")
 
 
 class DowngradeTestBase(BlackboxTestCase):
diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py
index ba18a3e0729..4b7bccde758 100644
--- a/python/samba/tests/usage.py
+++ b/python/samba/tests/usage.py
@@ -78,6 +78,8 @@ EXCLUDE_USAGE = {
     'selftest/tap2subunit',
     'script/show_test_time',
     'source4/scripting/bin/subunitrun',
+    'bin/samba_downgrade_db',
+    'source4/scripting/bin/samba_downgrade_db',
     'source3/selftest/tests.py',
     'selftest/tests.py',
     'python/samba/subunit/run.py',
diff --git a/selftest/knownfail.d/usage b/selftest/knownfail.d/usage
index 23d52c0b727..3e54f80a2de 100644
--- a/selftest/knownfail.d/usage
+++ b/selftest/knownfail.d/usage
@@ -25,7 +25,6 @@ samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_rebuildextendedd
 samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_renamedc.none.
 samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_repl_cleartext_pwd_py.none.
 samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_rodcdns.none.
-samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_sambadowngradedatabase.none.
 samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_gpupdate.none.
 samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_gpupdate_.none.
 samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_kcc.none.
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 7776caa16d2..eb76696948b 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -21,6 +21,7 @@
 #include "smbd/smbd.h"
 #include "nfs4_acls.h"
 #include "librpc/gen_ndr/ndr_security.h"
+#include "librpc/gen_ndr/idmap.h"
 #include "../libcli/security/dom_sid.h"
 #include "../libcli/security/security.h"
 #include "dbwrap/dbwrap.h"
@@ -254,6 +255,13 @@ bool smbacl4_set_controlflags(struct SMB4ACL_T *acl, uint16_t controlflags)
 	return true;
 }
 
+bool nfs_ace_is_inherit(SMB_ACE4PROP_T *ace)
+{
+	return ace->aceFlags & (SMB_ACE4_INHERIT_ONLY_ACE|
+				SMB_ACE4_FILE_INHERIT_ACE|
+				SMB_ACE4_DIRECTORY_INHERIT_ACE);
+}
+
 static int smbacl4_GetFileOwner(struct connection_struct *conn,
 				const struct smb_filename *smb_fname,
 				SMB_STRUCT_STAT *psbuf)
@@ -289,6 +297,35 @@ static int smbacl4_fGetFileOwner(files_struct *fsp, SMB_STRUCT_STAT *psbuf)
 	return 0;
 }
 
+static void check_for_duplicate_sec_ace(struct security_ace *nt_ace_list,
+					int *good_aces)
+{
+	struct security_ace *last = NULL;
+	int i;
+
+	if (*good_aces < 2) {
+		return;
+	}
+
+	last = &nt_ace_list[(*good_aces) - 1];
+
+	for (i = 0; i < (*good_aces) - 1; i++) {
+		struct security_ace *cur = &nt_ace_list[i];
+
+		if (cur->type == last->type &&
+		    cur->flags == last->flags &&
+		    cur->access_mask == last->access_mask &&
+		    dom_sid_equal(&cur->trustee, &last->trustee))
+		{
+			struct dom_sid_buf sid_buf;
+
+			DBG_INFO("Removing duplicate entry for SID %s.\n",
+				 dom_sid_str_buf(&last->trustee, &sid_buf));
+			(*good_aces)--;
+		}
+	}
+}
+
 static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
 	const struct smbacl4_vfs_params *params,
 	struct SMB4ACL_T *acl, /* in */
@@ -430,6 +467,8 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx,
 				     ace->aceType, mask,
 				     win_ace_flags);
 		}
+
+		check_for_duplicate_sec_ace(nt_ace_list, &good_aces);
 	}
 
 	nt_ace_list = talloc_realloc(mem_ctx, nt_ace_list, struct security_ace,
@@ -646,142 +685,191 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special(
 	return NULL;
 }
 
+static int smbacl4_MergeIgnoreReject(enum smbacl4_acedup_enum acedup,
+				     struct SMB4ACL_T *theacl,
+				     SMB_ACE4PROP_T *ace,
+				     bool *paddNewACE)
+{
+	int	result = 0;
+	SMB_ACE4PROP_T *ace4found = smbacl4_find_equal_special(theacl, ace);
+	if (ace4found)
+	{
+		switch(acedup)
+		{
+		case e_merge: /* "merge" flags */
+			*paddNewACE = false;
+			ace4found->aceFlags |= ace->aceFlags;
+			ace4found->aceMask |= ace->aceMask;
+			break;
+		case e_ignore: /* leave out this record */
+			*paddNewACE = false;
+			break;
+		case e_reject: /* do an error */
+			DBG_INFO("ACL rejected by duplicate nt ace.\n");
+			errno = EINVAL; /* SHOULD be set on any _real_ error */
+			result = -1;
+			break;
+		default:
+			break;
+		}
+	}
+	return result;
+}
+
+static int nfs4_acl_add_ace(enum smbacl4_acedup_enum acedup,
+			    struct SMB4ACL_T *nfs4_acl,
+			    SMB_ACE4PROP_T *nfs4_ace)
+{
+	bool add_ace = true;
 
-static bool smbacl4_fill_ace4(
-	const struct smb_filename *filename,
-	const struct smbacl4_vfs_params *params,
-	uid_t ownerUID,
-	gid_t ownerGID,
-	const struct security_ace *ace_nt, /* input */
-	SMB_ACE4PROP_T *ace_v4 /* output */
-)
+	if (acedup != e_dontcare) {
+		int ret;
+
+		ret = smbacl4_MergeIgnoreReject(acedup, nfs4_acl,
+						nfs4_ace, &add_ace);
+		if (ret == -1) {
+			return -1;
+		}
+	}
+
+	if (add_ace) {
+		smb_add_ace4(nfs4_acl, nfs4_ace);
+	}
+
+	return 0;
+}
+
+static int nfs4_acl_add_sec_ace(bool is_directory,
+				const struct smbacl4_vfs_params *params,
+				uid_t ownerUID,
+				gid_t ownerGID,
+				const struct security_ace *ace_nt,
+				struct SMB4ACL_T *nfs4_acl)
 {
 	struct dom_sid_buf buf;
+	SMB_ACE4PROP_T nfs4_ace = { 0 };
+	SMB_ACE4PROP_T nfs4_ace_2 = { 0 };
+	bool add_ace2 = false;
+	int ret;
 
 	DEBUG(10, ("got ace for %s\n",
 		   dom_sid_str_buf(&ace_nt->trustee, &buf)));
 
-	ZERO_STRUCTP(ace_v4);
-
 	/* only ACCESS|DENY supported right now */
-	ace_v4->aceType = ace_nt->type;


-- 
Samba Shared Repository



More information about the samba-cvs mailing list