smbcacls incorrect behaviour?

Stephen Summerfield ssummerf at
Wed May 8 09:37:02 GMT 2002


Been using smbcacls to duplicate permissions/ACLs of CIFS shared files
from UNIX following a file/directory copy operation.

I was having difficulty with shares on Win2K and Netapp filers to do
with inherited permissions - what was happening was the ACEs were ending
up in the wrong order (although no error was reported during setting -
inherited ACEs coming before explicit ACEs) and Win2K clients were
complaining when attempting to view the permissions that the order was

Having looked at the smbcacls source I noticed that the ACEs are being
sorted before being set, however I believe the sort being done is
incorrect, as it results in the ACEs becoming misordered. It is correct
for the denied ACEs to be before the allow ACEs, however the explicit
permissions should come before the inherited permissions - this was the
stem of my problem.
The current sorting algorithm sorts by type, SID, flags, mask, size and
then a memcmp(), in that order. So depending on the ACEs' SIDs,
inherited ACEs can come before or after explicit ACEs.
I believe it should only sort on type (deny then allow) and flags
(explicit then inherited) and otherwise the order left as it is.

Anyway here's what I changed in the sort comparator to make it work for
me (version

--- smbcacls.c  Wed May  8 17:15:39 2002
+++ smbcacls.c.orig     Wed May  8 17:16:48 2002
@@ -542,19 +542,10 @@
        if (ace1->type != ace2->type) 
                return ace2->type - ace1->type;
-       if (sid_compare(&ace1->trustee, &ace2->trustee)) 
-               return sid_compare(&ace1->trustee, &ace2->trustee);
        if (ace1->flags != ace2->flags) 
                return ace1->flags - ace2->flags;
-       if (ace1->info.mask != ace2->info.mask) 
-               return ace1->info.mask - ace2->info.mask;
-       if (ace1->size != ace2->size) 
-               return ace1->size - ace2->size;
-       return memcmp(ace1, ace2, sizeof(SEC_ACE));
+    return 0;
 static void sort_acl(SEC_ACL *the_acl)

I also noticed that on a modify, the ACE seems to be matched only on
SID, however it's possible for there to be more than one ACE with the
same SID (eg an allow and a deny ACE with different masks) so at the
moemnt what happens in this case is that all ACEs with that SID get
changed to be the same and then all but the first get removed as

One other problem I have is that with shares on a Netapp filer (mixed
qtree) the -S option of smbcacls silently fails - ie it appears to work
(no error returned) but the permissions don't get set. It's probably not
smbcacls at fault but it's rather odd that setting the same permissions
using a combination of delete and add operations does work - any ideas
gratefully received.


ssummerf at

More information about the samba-technical mailing list