[PATCH] Fix 'samba-tool ntacl sysvolcheck' failures and remove NT4 compat

[Jelmer Vernooij]

On Tue, Nov 13, 2012 at 09:26:19AM +1100, Andrew Bartlett wrote:
> On Mon, 2012-11-12 at 17:19 +1100, Andrew Bartlett wrote:
> > This patch should fix the issues where an ACL set on sysvol by
> > samba-tool ntacl sysvolreset cannot be read back, and so sysvolcheck
> > fails.
> > 
> > The root cause here appears to be not setting fsp->is_directory
> > correctly.
> > 
> > This patch unifies the get and set code by simply using the same
> > boilerplate, however another approach would be to call
> > SMB_VFS_GET_NT_ACL() instead, which only needs a file path.  
> > 
> > I'm posting this so as to mark the fact that I've reproduced and fixed
> > one small part of this SYSVOL issue locally, and am continuing to work
> > on it.
> > 
> > I have a second patch here, which I feel makes this code more robust -
> > it removes the NT4 compatibility layer in the posix ACL code.  This will
> > mean that the ACL written by 'samba-tool ntacl sysvolreset' is read by a
> > windows client.  Currently samba-tool appears as RA_UNKNOWN, and so gets
> > NT4 compatible ACLs, which can break the hash when a windows client
> > accesses the server.
> > 
> > I need to test more to prove this is strictly required, but I do feel it
> > is a worthwhile change in any case, given how long dead NT4 clients
> > changing ACLs with the windows GUI are.
> 
> Jelmer,
> 
> Attached are the patches I'm currently working on, for review.  Please
> ack the ones you are comfortable with (perhaps just the test patches). 
> 
> At https://bugzilla.samba.org/show_bug.cgi?id=9383#c1 has already
> indicated he is happy to be rid of the "acl compatibility" code.

ACK on the first two. Are you sure that test won't start flapping
again?

I'm not familiar enough with the code to review the other two patches
at the moment. Perhaps somebody else can, or I can when I get a spare
moment later this week.

Cheers,

Jelmer