[PATCH] Add tests for our NFSv4 ACL code

Abhidnya S Joshi achirmul at in.ibm.com
Mon Apr 22 03:55:46 MDT 2013

Hi Andrew, Alexander,

To test this NFS4 ACL work, I have added 2 tests to check inheritance of 
creator owner and creator group. Primary aim is to test Samba bug 9467.
These two tests basically check if the creator owner/group SID gets 
interpreted and applied correctly upon inheritance. Please review the 

Thanks and Regards
Abhidnya Joshi

From:   Andrew Bartlett <abartlet at samba.org>
To:     Alexander Werth <werth at linux.vnet.ibm.com>, 
Cc:     samba-technical at lists.samba.org, jra at samba.org
Date:   04/22/2013 06:01 AM
Subject:        Re: [PATCH] Add tests for our NFSv4 ACL code
Sent by:        samba-technical-bounces at lists.samba.org

On Wed, 2013-04-17 at 21:13 +0200, Alexander Werth wrote:
> On Sun, 2013-04-14 at 22:00 +1000, Andrew Bartlett wrote:
> > From here, I want to learn more about the failures, work out at what
> > layer we should be doing various inheritance operations (adding
> > emulation if required), and possibly patch raw.acls to optionally skip
> > SACLs in the comparisons. 
> I've merged the inheritance emulation into your nfs4acl_xattr module.
> Please find the code in the attached patch.
> The idea is that if no xattr with nfs4 acls is found the parent
> folders are inspected recursively.
> This way any vfs operation reading the acl of a file that just got
> created with an open call will return the right security descriptor.
> With this the test nfs4acl_xattr.dynamic passes.
> The nfs4acl_xattr.inheritance passes as well but there are
> warnings since the SDs don't match bit for bit and the torture
> test returns a failed even though there was no hard error.
> So I guess we have to adjust the torture test before committing
> this patch.

Thanks for all your hard work here.  These changes seen entirely
sensible to me.  Could you perhaps merge them into a set that could be
committed to master?  (Probably squash some of them together)

In terms of the handling of the special SIDs, we really need winbind to
give a valid result for those.  If we moved the test from the s3dc to
the plugin_s4_dc environment, they probably would resolve (due to the
different winbindd), and we might make more progress here, until we can
fix up the source3/winbindd idmap code. 

We also need to fix up the key idmap code in nfs4_acls.c:630 to be more
like what I put in the posix_acls.c code at line 1973.  That will cope
with IDMAP_BOTH better as well. 

Finally, in terms of your question about 'denymissingspecial', I copied
the zfsacl code as my template, which is why this came across.  I don't
know the history or reasoning behind this at this time. 


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-smbtorture-Test-creator-inheritance-with-nfs4-acl.patch
Type: application/octet-stream
Size: 14934 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130422/7a4a1483/attachment.obj>

More information about the samba-technical mailing list