[PATCH][RFC] hash the posix ACL not the SD for acl_xattr

Andrew Bartlett abartlet at samba.org
Mon Sep 10 07:14:21 MDT 2012

On Mon, 2012-09-10 at 23:12 +1000, Andrew Bartlett wrote:
> The attached patch is much more than I would prefer to do at this point,
> but that's why I'm sending this out incomplete, to try and get some
> feedback.

The branch on which this is based an included is:


> This adds VFS methods to get a blob of the posix ACL.  The idea is that
> we will hash that, if available, instead of the NT ACL it becomes.  This
> in turn insulates the ACL from changes in our mapping code. 
> I need this because in some situations I've seen this:
> get_nt_acl_internal: blob hash does not match for
> file /usr/local/samba/sysvol/weaubleau.k12.mo.us/ - returning file
> system SD mapping.
> This is for an ACL just set, and not changed.  The (awaiting
> confirmation) issue seems to be idmap values that get into the cache as
> a both-way map, but were more than one SID maps onto a GID.  Perhaps we
> should just fix that, but the need for the xattr hash to be based on the
> posix ACL has always been a bugbear of mine.
> A future version of this patch should probably also return: 
>  - the owner and mask
>  - metadata to reconstruct the module stack (ie a tag like posixacl) in
> case we have to cope with changes here later. 
> Then, we should hash this blob, and also hash the SD, and allow either
> to match in vfs_acl_common. 
> Alternate, we can set "vfs_acl_xattr:ignore filesystem permissions=yes"
> on the [sysvol] share or thy and assert that the idmapping is reflexive
> at classicupgrade time. 
> Thoughts very much welcome!
> Thanks,
> Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list