I believe I have found the reason for "The permissions on blah are incorrectly ordered ..."

Jeremy Allison jra at samba.org
Wed Mar 27 12:19:19 MDT 2013

On Wed, Mar 27, 2013 at 11:12:40AM -0700, Richard Sharpe wrote:
> Hi folks,
> I have, at long last, found the reason for the error message "The
> permissions on blah are incorrectly ordered, which may cause some
> entries to be ineffective."
> It happens when you use robocopy and force the creation of the target
> directory and there is a CREATOR OWNER or CREATOR GROUP entry in the
> parent objects SD.
> It happens, I believe because of the following code in
> se_create_child_secdesc (in master,  3.6.x and 3.5.x) only sets the
> inherited flag on directories if the SD control field of the parent
> (we call it the type) contains SEC_DESC_DACL_AUTO_INHERITED (0x0400).
> However, [MS-DTYP].pdf, section (ACE_HEADER) in the subsection
> on AceFlags says:
> -----------------------------------------
> Indicates that the ACE was inherited. The system sets this bit when it
> propagates an inherited ACE to a child object.<35>
> -----------------------------------------
> The footnote only indicates that the bit is not supported for Windows
> NT 4.0 (and earlier, I imagine :-)
> I am going to do a quick check on Windows Server 2008R2 and if Windows
> does not do what Samba does, I will create a bug and submit a patch.

Whatever patch you create, make sure it passes both SMB1 and SMB2
raw.acls tests :-). That's where this code came from... :-).

More information about the samba-technical mailing list