[PATCH] Fix for XDR Backend of NFS4ACL_XATTR module to get it working with NFS4.0 ACL Spec

Sandeep Nashikkar snashikkar at commvault.com
Mon Nov 26 12:40:14 UTC 2018

On Fri, 03 September, 2018 at 14:18 IST Andrew Bartlett via samba-technical wrote
> > On Mon, 2018-09-03 at 08:33 +0000, Sandeep Nashikkar via samba- technical wrote:
> > Hi Jeremy,
> > 
> > Can we move the patch for next review? Let me know if there are any 
> > more suggestions.
> > BTW, I have another fix for smbacl4_fill_ace4() in 
> > "source3/modules/nfs4_acls.c"
> > When we convert SID to uid/gid, we do not check if the type of SID is 
> > If the sid_to_uid as well as sid_to_gid return success, we end up 
> > wrongly setting SMB_ACE4_IDENTIFIER_GROUP in the SMB_ACE4PROP_T Please 
> > let me know if I need to submit separate patch for this fix or shall I 
> > update the same ACL plugin patch for that fix?

> This is deleberate, to cope with SIDs that map to both a UID and GID (IDMAP_TYPE_BOTH), which in turn is trying to eventually support sidHistory entries properly, as well as trusted domains and other things where telling if a SID is exactly a user or group is difficult/impossible.

> Andrew Bartlett

Hi Andrew, 

What if we split such ACE into two? We add 2 NFS4 ACEs in smbacl4_win2nfs4 if we determine that the SID maps to both uid and gid in call to smbacl4_fill_ace4? Only one ACE will have SMB_ACE4_IDENTIFIER_GROUP bit set in aceFlags. Will that work in other environments you are talking about? I tested the fix for basic cases and it worked for domain user access case. 

********************************Legal Disclaimer********************************
"This communication may contain confidential and privileged material for the
sole use of the intended recipient. Any unauthorized review, use or distribution
by others is strictly prohibited. If you have received the message by mistake,
please advise the sender by reply email and delete the message. We may process
information in the email header of business emails sent and received by us
(including the names of recipient and sender, date and time of the email) for
the purposes of evaluating our existing or prospective business relationship.
The lawful basis we rely on for this processing is our legitimate interests. For
more information about how we use personal information please read our privacy
policy https://www.commvault.com/privacy-policy. Thank you."

More information about the samba-technical mailing list