I believe I have found the reason for "The permissions on blah are incorrectly ordered ..."

Jeremy Allison jra at samba.org
Wed Mar 27 12:30:57 MDT 2013 

On Wed, Mar 27, 2013 at 11:25:12AM -0700, Jeremy Allison wrote:
> On Wed, Mar 27, 2013 at 11:12:40AM -0700, Richard Sharpe wrote:
> > Hi folks,
> > 
> > I have, at long last, found the reason for the error message "The
> > permissions on blah are incorrectly ordered, which may cause some
> > entries to be ineffective."
> > 
> > It happens when you use robocopy and force the creation of the target
> > directory and there is a CREATOR OWNER or CREATOR GROUP entry in the
> > parent objects SD.
> > 
> > It happens, I believe because of the following code in
> > se_create_child_secdesc (in master,  3.6.x and 3.5.x) only sets the
> > inherited flag on directories if the SD control field of the parent
> > (we call it the type) contains SEC_DESC_DACL_AUTO_INHERITED (0x0400).
> > 
> > However, [MS-DTYP].pdf, section 2.4.4.1 (ACE_HEADER) in the subsection
> > on AceFlags says:
> > 
> > -----------------------------------------
> > INHERITED_ACE: 0x10
> > 
> > Indicates that the ACE was inherited. The system sets this bit when it
> > propagates an inherited ACE to a child object.<35>
> > -----------------------------------------
> > 
> > The footnote only indicates that the bit is not supported for Windows
> > NT 4.0 (and earlier, I imagine :-)
> > 
> > I am going to do a quick check on Windows Server 2008R2 and if Windows
> > does not do what Samba does, I will create a bug and submit a patch.
> 
> Check out bug https://bugzilla.samba.org/show_bug.cgi?id=9124
> 
> That's where the code change comes from (you reviewed it btw :-).
> 
> Once you think you have a change that works, we need to add
> in tests to raw.acl and smb2.acls to ensure we can differentiate
> between the old behavior and the new behavior and ensure those
> tests also pass against Windows 2012/2008.

So this is the patch for the server you'd need (attached).
You should also read :

http://social.msdn.microsoft.com/Forums/en-US/os_fileservices/thread/11f77b68-731e-407d-b1b3-064750716531

but this is probably about when to set the SEC_DESC_DACL_AUTO_INHERITED
bit on the DACL itself rather than the SEC_ACE_FLAG_INHERITED_ACE bit
on an ACE entry.

Jeremy.
-------------- next part --------------
diff --git a/libcli/security/secdesc.c b/libcli/security/secdesc.c
index d2c5833..a4ff310 100644
--- a/libcli/security/secdesc.c
+++ b/libcli/security/secdesc.c
@@ -639,7 +639,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
 			/* First add the regular ACE entry. */
 			init_sec_ace(new_ace, ptrustee, ace->type,
 				ace->access_mask,
-				set_inherited_flags ? SEC_ACE_FLAG_INHERITED_ACE : 0);
+				SEC_ACE_FLAG_INHERITED_ACE);
 
 			DEBUG(5,("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x"
 				 " inherited as %s:%d/0x%02x/0x%08x\n",
@@ -664,7 +664,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
 
 		init_sec_ace(new_ace, ptrustee, ace->type,
 			     ace->access_mask, new_flags |
-				(set_inherited_flags ? SEC_ACE_FLAG_INHERITED_ACE : 0));
+				SEC_ACE_FLAG_INHERITED_ACE));
 
 		DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
 			  " inherited as %s:%d/0x%02x/0x%08x\n",

More information about the samba-technical mailing list