I believe I have found the reason for "The permissions on blah are incorrectly ordered ..."
Jeremy Allison
jra at samba.org
Wed Mar 27 12:19:19 MDT 2013
On Wed, Mar 27, 2013 at 11:12:40AM -0700, Richard Sharpe wrote:
> Hi folks,
>
> I have, at long last, found the reason for the error message "The
> permissions on blah are incorrectly ordered, which may cause some
> entries to be ineffective."
>
> It happens when you use robocopy and force the creation of the target
> directory and there is a CREATOR OWNER or CREATOR GROUP entry in the
> parent objects SD.
>
> It happens, I believe because of the following code in
> se_create_child_secdesc (in master, 3.6.x and 3.5.x) only sets the
> inherited flag on directories if the SD control field of the parent
> (we call it the type) contains SEC_DESC_DACL_AUTO_INHERITED (0x0400).
>
> However, [MS-DTYP].pdf, section 2.4.4.1 (ACE_HEADER) in the subsection
> on AceFlags says:
>
> -----------------------------------------
> INHERITED_ACE: 0x10
>
> Indicates that the ACE was inherited. The system sets this bit when it
> propagates an inherited ACE to a child object.<35>
> -----------------------------------------
>
> The footnote only indicates that the bit is not supported for Windows
> NT 4.0 (and earlier, I imagine :-)
>
> I am going to do a quick check on Windows Server 2008R2 and if Windows
> does not do what Samba does, I will create a bug and submit a patch.
Whatever patch you create, make sure it passes both SMB1 and SMB2
raw.acls tests :-). That's where this code came from... :-).
More information about the samba-technical
mailing list