[PATCH][RFC] hash the posix ACL not the SD for acl_xattr

[Andrew Bartlett]

The attached patch is much more than I would prefer to do at this point,
but that's why I'm sending this out incomplete, to try and get some
feedback.

This adds VFS methods to get a blob of the posix ACL.  The idea is that
we will hash that, if available, instead of the NT ACL it becomes.  This
in turn insulates the ACL from changes in our mapping code. 

I need this because in some situations I've seen this:

get_nt_acl_internal: blob hash does not match for
file /usr/local/samba/sysvol/weaubleau.k12.mo.us/ - returning file
system SD mapping.

This is for an ACL just set, and not changed.  The (awaiting
confirmation) issue seems to be idmap values that get into the cache as
a both-way map, but were more than one SID maps onto a GID.  Perhaps we
should just fix that, but the need for the xattr hash to be based on the
posix ACL has always been a bugbear of mine.

A future version of this patch should probably also return: 
 - the owner and mask
 - metadata to reconstruct the module stack (ie a tag like posixacl) in
case we have to cope with changes here later. 

Then, we should hash this blob, and also hash the SD, and allow either
to match in vfs_acl_common. 

Alternate, we can set "vfs_acl_xattr:ignore filesystem permissions=yes"
on the [sysvol] share or thy and assert that the idmapping is reflexive
at classicupgrade time. 

Thoughts very much welcome!

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-smbd-Add-extra-VFS-hooks-to-get-the-posix-ACL-as-a-b.patch
Type: text/x-patch
Size: 13524 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120910/bb76e73a/attachment.bin>