I believe I have found the reason for "The permissions on blah are incorrectly ordered ..."
Jeremy Allison
jra at samba.org
Wed Mar 27 12:25:12 MDT 2013
On Wed, Mar 27, 2013 at 11:12:40AM -0700, Richard Sharpe wrote:
> Hi folks,
>
> I have, at long last, found the reason for the error message "The
> permissions on blah are incorrectly ordered, which may cause some
> entries to be ineffective."
>
> It happens when you use robocopy and force the creation of the target
> directory and there is a CREATOR OWNER or CREATOR GROUP entry in the
> parent objects SD.
>
> It happens, I believe because of the following code in
> se_create_child_secdesc (in master, 3.6.x and 3.5.x) only sets the
> inherited flag on directories if the SD control field of the parent
> (we call it the type) contains SEC_DESC_DACL_AUTO_INHERITED (0x0400).
>
> However, [MS-DTYP].pdf, section 2.4.4.1 (ACE_HEADER) in the subsection
> on AceFlags says:
>
> -----------------------------------------
> INHERITED_ACE: 0x10
>
> Indicates that the ACE was inherited. The system sets this bit when it
> propagates an inherited ACE to a child object.<35>
> -----------------------------------------
>
> The footnote only indicates that the bit is not supported for Windows
> NT 4.0 (and earlier, I imagine :-)
>
> I am going to do a quick check on Windows Server 2008R2 and if Windows
> does not do what Samba does, I will create a bug and submit a patch.
Check out bug https://bugzilla.samba.org/show_bug.cgi?id=9124
That's where the code change comes from (you reviewed it btw :-).
Once you think you have a change that works, we need to add
in tests to raw.acl and smb2.acls to ensure we can differentiate
between the old behavior and the new behavior and ensure those
tests also pass against Windows 2012/2008.
Jeremy.
More information about the samba-technical
mailing list