I believe I have found the reason for "The permissions on blah are incorrectly ordered ..."

[Richard Sharpe]

Hi folks,

I have, at long last, found the reason for the error message "The
permissions on blah are incorrectly ordered, which may cause some
entries to be ineffective."

It happens when you use robocopy and force the creation of the target
directory and there is a CREATOR OWNER or CREATOR GROUP entry in the
parent objects SD.

It happens, I believe because of the following code in
se_create_child_secdesc (in master,  3.6.x and 3.5.x) only sets the
inherited flag on directories if the SD control field of the parent
(we call it the type) contains SEC_DESC_DACL_AUTO_INHERITED (0x0400).

However, [MS-DTYP].pdf, section 2.4.4.1 (ACE_HEADER) in the subsection
on AceFlags says:

-----------------------------------------
INHERITED_ACE: 0x10

Indicates that the ACE was inherited. The system sets this bit when it
propagates an inherited ACE to a child object.<35>
-----------------------------------------

The footnote only indicates that the bit is not supported for Windows
NT 4.0 (and earlier, I imagine :-)

I am going to do a quick check on Windows Server 2008R2 and if Windows
does not do what Samba does, I will create a bug and submit a patch.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)