RFC - add support for dacl protected to zfsacl

Andrew Walker awalker at ixsystems.com
Sun Oct 21 03:22:21 UTC 2018

The following patch came about because some of our users were complaining
that they could not use the option to replace inherited ACLs with
non-inherited ones via File Explorer.

This is a two-part fairly trivial fix. I added support for
ACE_INHERITED_ACE to libsunacl 1.0.1 here (so that samba was actually aware
of the status of the "inherited" bit):

And the second part was to set the dacl_protected flag if none of the ACEs
in an ACL contain have the inherited bit set. This second part is what I am
unsure of.  I have not observed ACLs with protected set and an ACE with
permissions inherited from the container, but I have not found concrete
documentation one way or another. The attached patch is sufficient to:

1) get the proper behavior from windows explorer
2) allow us to pass "samba-tool ntacl sysvolcheck" when we provision on ZFS
(with additional patches)

Any input about this would be appreciated.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: vfs_zfsacl patch to set dacl protected if no entries in ACL are inherited.patch
Type: application/octet-stream
Size: 1669 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20181020/8063c9e0/vfs_zfsaclpatchtosetdaclprotectedifnoentriesinACLareinherited.obj>

More information about the samba-technical mailing list