[PATCH][RFC] hash the posix ACL not the SD for acl_xattr

Andrew Bartlett abartlet at samba.org
Tue Sep 11 05:30:40 MDT 2012

On Mon, 2012-09-10 at 23:14 +1000, Andrew Bartlett wrote:
> On Mon, 2012-09-10 at 23:12 +1000, Andrew Bartlett wrote:
> > The attached patch is much more than I would prefer to do at this point,
> > but that's why I'm sending this out incomplete, to try and get some
> > feedback.
> The branch on which this is based an included is:
> https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/acl-fixes-2

I've updated the branch, with a slightly updated VFS API.

Essentially I want the option to be able to implement this after RC1, as
I think it will fix some quite annoying bugs for our Samba4 DC users,
particularly those upgrading from classic domains. 

It will also insulate installations that rely on the NT ACL (which
Samba4 GPOs are the most strict) from changes to our mapping code.

I can't of course implement the hash method before RC1, but hopefully it
can be signed off on for RC2 when implemented and tested. 

As I said before:
> > I need this because in some situations I've seen this:
> > 
> > get_nt_acl_internal: blob hash does not match for
> > file /usr/local/samba/sysvol/weaubleau.k12.mo.us/ - returning file
> > system SD mapping.
> > 
> > This is for an ACL just set, and not changed.  The (awaiting
> > confirmation) issue seems to be idmap values that get into the cache as
> > a both-way map, but were more than one SID maps onto a GID.  Perhaps we
> > should just fix that, but the need for the xattr hash to be based on the
> > posix ACL has always been a bugbear of mine.
> > 
> > A future version of this patch should probably also return: 
> >  - the owner and mask
> >  - metadata to reconstruct the module stack (ie a tag like posixacl) in
> > case we have to cope with changes here later. 
> > 
> > Then, we should hash this blob, and also hash the SD, and allow either
> > to match in vfs_acl_common. 
> > 
> > Alternate, we can set "vfs_acl_xattr:ignore filesystem permissions=yes"
> > on the [sysvol] share or thy and assert that the idmapping is reflexive
> > at classicupgrade time. 
> > 

I would really, really like this much in RC1, but I'm doing that
tomorrow, so if either of you can review this much, it would be greatly


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list