[Samba] map acl inherit stopped working

Wed Oct 21 17:36:11 MDT 2009

On Wed, Oct 21, 2009 at 04:12:58PM +0200, Peter Rindfuss wrote:
> On 2009-10-19 23:04, Jeremy Allison wrote:
>> On Sat, Oct 17, 2009 at 12:40:10AM +0200, Peter Rindfuss wrote:
>>> Hi,
>>>
>>> It seems that at some point "map acl inherit = yes" stopped working for
>>> me. I now have Samba 3.4.2, but this problem started with an earlier
>>> version, possibly some 3.2.x or 3.3.x. No SAMBA_PAI extended attributes
>>> are created anymore, but existing ones are still honored.
>>>
>>> OS is Suse 11.0, file system is XFS.
>>>
>>> What could be wrong?
>>
>> Not sure, can you log a bug and upload logs please ?
>>
>
> Hi Jeremy,
>
> I will file a bug, if necessary, but perhaps my further investigations  
> can help.
>
> My statement "no SAMBA_PAI extended attributes are created anymore" is  
> wrong, I apologize. But it is interesting what really happens to 
> SAMBA_PAI:
>
> I looked at an old existing folder:
> Windows security tab shows that rights are inherited from the folder  
> above. SAMBA_PAI is
> 0x010003000300009a7500000151c3000002ffffffff009a7500000151c3000002ffffffff
>
> When I remove and (try to) set inheritance again, SAMBA_PAI becomes
> 0x02048d0300030000009a750000000151c300000302ffffffff0b009a7500000b0151c300000302ffffffff
> and inheritance is gone, same as if SAMBA_PAI were not there at all.
>
> When I manually set SAMBA_PAI to the first value, inherited rights are  
> back there again.

I'm guessing this is the version 1 to version 2 upgrade.
(From posix_acls.c)

/*
 * EA format of user.SAMBA_PAI (Samba_Posix_Acl_Interitance)
 * attribute on disk - version 1.
 * All values are little endian.
 *
 * |  1   |  1   |   2         |         2           |  ....
 * +------+------+-------------+---------------------+-------------+--------------------+
 * | vers | flag | num_entries | num_default_entries | ..entries.. |
 * default_entries... |
 * +------+------+-------------+---------------------+-------------+--------------------+
 *
 * Entry format is :
 *
 * |  1   |       4           |
 * +------+-------------------+
 * | value|  uid/gid or world |
 * | type |  value            |
 * +------+-------------------+
 *
 * Version 2 format. Stores extra Windows metadata about an ACL.
 *
 * |  1   |  2       |   2         |         2           |  ....
 * +------+----------+-------------+---------------------+-------------+--------------------+
 * | vers | ace      | num_entries | num_default_entries | ..entries.. |
 * default_entries... |
 * |   2  |  type    |             |                     |             |
 * |
 * +------+----------+-------------+---------------------+-------------+--------------------+
 *
 * Entry format is :
 *
 * |  1   |  1   |       4           |
 * +------+------+-------------------+
 * | ace  | value|  uid/gid or world |
 * | flag | type |  value            |
 * +------+-------------------+------+
 *

Jeremy.