[PATCH] SMB2 AAPL create context

Jeremy Allison jra at samba.org
Thu Dec 4 10:05:09 MST 2014 

On Tue, Dec 02, 2014 at 07:09:44PM +0100, Ralph Böhme wrote:
> Hi Volker,
> 
> thanks for looking into this!
> 
> On Tue, Dec 02, 2014 at 05:18:15PM +0100, Volker Lendecke wrote:
> > Ok, this looks really nice. If I see it correctly, all the core logic
> > is in vfs_fruit where it belongs IMHO.
> > 
> > I've added a few patches in between. Feel free to squash for the next
> > round.
> 
> done. Updated patchset attached.
> 
> > I would like Jeremy to comment on ignoring the NFS-specific SIDs
> > (S-1-5-88-) when setting ACLs and implicitly changing the semantics.
> 
> As described in an earlier mail: this tries to address the *POSIX* ACL
> roundtripping issue where a client that wants to change the UNIX mode
> by means of the MS NFS ACEs (ie a Mac where eg the user did a chmod
> MODE in terminal), would cause the mode to explode into a set of POSIX
> ACLs.
> 
> As such, set ACL request containing NFS ACEs are completely ignored in
> the default POSIX ACL code, but in the NFSv4/ZFS VFS code I merely
> ignore the NFS *ACE*s (so just suppressing a diagnostic here).
> 
> Then again the code in vfs_acl_common.c filters out the complete NFS
> ACL, I just couldn't wind my head down into the full semantics of both
> VFS modules acl_xattr and acl_tdb.
> 
> > I don't see another way to do it, but I'd like Mr. Jeremy
> > 'Posix_acl' Allison to take a look.
> > 
> > I'm not sure if it makes sense to further complicate things, and I don't
> > know if it's actually easily possible, but is there a way to make the
> > "s3:smbd: ignore dacls with MS NFS ACEs" behaviour AAPL-negotiated
> > only?
> 
> I guess I should adjust the commit message reflecting in detail what I
> described above (ie completely ignoring the dacl in the case of POSIX
> ACLs, only ignoring the NFS ACEs in the case of NFSv4 and ZFS ACL
> backends).
> 
> > I don't event want to think about dirty global variables (Jeremy,
> > shut up! :-)), but it might make it a bit safer. On the other hand --
> > do we really have a problem when we just return NT_STATUS_OK for a pure
> > acl set when such a SID is around? Any normal client won't do it anyway.
> 
> That was my take. :)

Ralph, I promise to finish review on this by end-of-day
today (4th Dec) Pacific time. In the meantime if you want
this in 4.2.0 can you log a bug making it a feature request
so we've got somewhere to store the 4.2.0 back-port ?

Cheers,

	Jeremy.

More information about the samba-technical mailing list