I believe I have found the reason for "The permissions on blah are incorrectly ordered ..."
Richard Sharpe
realrichardsharpe at gmail.com
Wed Mar 27 14:55:32 MDT 2013
On Wed, Mar 27, 2013 at 11:12 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> Hi folks,
>
> I have, at long last, found the reason for the error message "The
> permissions on blah are incorrectly ordered, which may cause some
> entries to be ineffective."
>
> It happens when you use robocopy and force the creation of the target
> directory and there is a CREATOR OWNER or CREATOR GROUP entry in the
> parent objects SD.
>
> It happens, I believe because of the following code in
> se_create_child_secdesc (in master, 3.6.x and 3.5.x) only sets the
> inherited flag on directories if the SD control field of the parent
> (we call it the type) contains SEC_DESC_DACL_AUTO_INHERITED (0x0400).
>
> However, [MS-DTYP].pdf, section 2.4.4.1 (ACE_HEADER) in the subsection
> on AceFlags says:
>
> -----------------------------------------
> INHERITED_ACE: 0x10
>
> Indicates that the ACE was inherited. The system sets this bit when it
> propagates an inherited ACE to a child object.<35>
> -----------------------------------------
>
> The footnote only indicates that the bit is not supported for Windows
> NT 4.0 (and earlier, I imagine :-)
>
> I am going to do a quick check on Windows Server 2008R2 and if Windows
> does not do what Samba does, I will create a bug and submit a patch.
Well, after playing with Windows a bit in this regard, it seems that
Samba does have a bug, but not the bug I thought:
1. Samba's behavior with respect to SEC_DESC_DACL_AUTO_INHERITED is
correct, and Windows behaves the same way, at least with respect to
CREATOR OWNER, howvever it seems to include the inherited flag when it
should not:
cc1# smbcacls //localhost/cloudfs /cc1/test1/testit2
-Unimbus-10/administrator%*********
Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules
REVISION:1
CONTROL:0x8004
OWNER:BUILTIN\Administrators
GROUP:NIMBUS-10\Domain Users
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:NIMBUS-10\test1:ALLOWED/0x0/FULL # <------- Note
this one nestled in there
ACL:Creator Owner:ALLOWED/OI|CI|IO|I/FULL
ACL:NIMBUS-10\funny-group:ALLOWED/OI|CI|I/READ
ACL:NIMBUS-10\Domain Users:ALLOWED/OI|CI|I/READ
2. While, Windows orders the ACEs in the canonical order, and Samba
does not, however, the failure here might be that Samba is allowing
the inherited flag through when it should not.
Still investigating.
As a side issue, it seems that Windows (at least Win 7 and W2K08) does
not set the owner to the person who created the file/folder. They all
end up being owned by NT AUTHORITY\SYSTEM on my Win 7 machine.
However, this is an issue for another day, but is likely to confuse
veteran Windows admins.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list