mapping SYNCHRONIZE permission in NTFS ACL for ZFS

Jeremy Allison jra at samba.org
Tue Jan 11 19:05:07 MST 2011 

On Tue, Jan 11, 2011 at 05:03:05PM -0800, Paul B. Henson wrote:
> On Tue, 11 Jan 2011, Jeremy Allison wrote:
> 
> > Hmmm. Yes. I was going to recommend leaving it alone on set, but if it's
> > really being defined as a server-side NO-OP then there's really no need.
> 
> A more general implementation would be to leave it set if it is set, but
> not set it otherwise, but that would be more complicated. As far as I can
> tell the function which is called to set the acl is passed the windows acl
> and the file name with no knowledge of the existing acl. To maintain the
> sync bit if set it would need to read in the existing acl and do a
> comparision between the old and new. Possible, but doesn't really seem
> worth the effort.
> 
> > Can you do me a favour, and log a bug against 3.5.6 on bugzilla.samba.org
> > so I can add in the patch for 3.6.0 and a future 3.5.x release ?
> 
> Will do, thanks...

Ok, here's the patch I'm planning for master. Can you test it
(I don't have access to a ZFS filesystem) for me please ?

The tricky part is that according to your results, all
UNIX filesystems that map onto NFSv4 ALCs should have
this change made (adding in the SYNCHRONIZE bit when returning
a Windows ACL). This means the logical place to do this is
not in modules/vfs_zfsacl.c, but in modules/nfs4_acls.c
which contains the master mapping code, so that's where
I've put it.

However, I'm assuming that the other filesystems that
support Samba mapping to NFSv4 ACLs (gpfs and aixacl2.c)
are ok with all incoming NFSv4 ACLs being rewritten on
write to contain the sync bit. They must already accept
it from a Windows ACL so I'm pretty sure this is ok.

I haven't added the code to strip the sync bit on write
to the gpfs and aixacl2 modules, as I don't think it's
really needed.

Do you want me to make the ZFS module code the same (i.e.
not strip the sync bit on write) ? It would make all modules
more consistent.

Jeremy.
-------------- next part --------------
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index 1913946..e2f9fe3 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -280,7 +280,9 @@ static bool smbacl4_nfs42win(TALLOC_CTX *mem_ctx, SMB4ACL_T *theacl, /* in */
 		DEBUG(10, ("mapped ace flags: 0x%x => 0x%x\n",
 		      ace->aceFlags, mapped_ace_flags));
 
-		mask = ace->aceMask;
+		/* Windows clients expect SYNC on acls to
+		   correctly allow rename. See bug #7909. */
+		mask = ace->aceMask | SMB_ACE4_SYNCHRONIZE;
 		init_sec_ace(&nt_ace_list[good_aces++], &sid,
 			ace->aceType, mask,
 			mapped_ace_flags);
diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c
index 98c9bcf..8a2c378 100644
--- a/source3/modules/vfs_zfsacl.c
+++ b/source3/modules/vfs_zfsacl.c
@@ -124,6 +124,9 @@ static bool zfs_process_smbacl(files_struct *fsp, SMB4ACL_T *smbacl)
 		acebuf[i].a_type        = aceprop->aceType;
 		acebuf[i].a_flags       = aceprop->aceFlags;
 		acebuf[i].a_access_mask = aceprop->aceMask;
+		/* SYNC on acls is a no-op on ZFS.
+		   See bug #7909. */
+		acebuf[i].a_access_mask &= ~SMB_ACE4_SYNCHRONIZE;
 		acebuf[i].a_who         = aceprop->who.id;
 		if(aceprop->flags & SMB_ACE4_ID_SPECIAL) {
 			switch(aceprop->who.special_id) {

More information about the samba-technical mailing list