The autobuild test system (on sn-devel-104) has detected an intermittent failing test in the current master tree.
The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey.sn-devel-104/2016-07-19-1204/flakey.log The samba build logs are available here: http://git.samba.org/autobuild.flakey.sn-devel-104/2016-07-19-1204/samba.stderr http://git.samba.org/autobuild.flakey.sn-devel-104/2016-07-19-1204/samba.stdout The top commit at the time of the failure was: commit 961c4b591bb102751079d9cc92d7aa1c37f1958c Author: Ralph Boehme <[email protected]> Date: Fri Jul 15 17:48:19 2016 +0200 vfs_acl_xattr: objects without NT ACL xattr Even with "ignore system acls" set to "yes", for objects without NT ACL xattr we use the underlying filesystem permissions to construct an NT ACL. This can result in *very* unexpected permissions, eg: - a directory with the following ACL: $ ./bin/smbcacls -Uslow%pass //localhost/normal "" REVISION:1 CONTROL:SR|DP OWNER:SLOW\slow GROUP:Unix Group\root ACL:SLOW\slow:ALLOWED/0x0/FULL So only one non-inheritable(!) ACE. - creating a subdirectory: $ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir1" - checking whether there's an ACL xattr: $ getfattr -m "" /Volumes/normal/dir1 getfattr: Removing leading '/' from absolute path names system.posix_acl_access system.posix_acl_default user.DOSATTRIB So there isn't an ACL xattr, because there where no inheritable ACEs on the parent folder. - reading the new subdirectories ACL: $ ./bin/smbcacls -Uslow%pass //localhost/normal "dir1" REVISION:1 CONTROL:SR|DP OWNER:SLOW\slow GROUP:Unix Group\slow ACL:SLOW\slow:ALLOWED/0x0/FULL ACL:Unix Group\slow:ALLOWED/0x0/READ ACL:Everyone:ALLOWED/0x0/READ ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL The ACES for "SLOW\slow", "Unix Group\slow" and "Everyone" are coming from the underlying filesystem. This is the problem. - Windows assigns the following ACL in this situation: $ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir" REVISION:1 CONTROL:SR|PD|DI|DP OWNER:VORDEFINIERT\Administratoren GROUP:WIN2008R2\Domänen-Benutzer ACL:WIN2008R2\Administrator:ALLOWED/0x0/FULL $ ./bin/smbclient -UAdministrator%Passw0rd //10.10.10.14/data -c "mkdir dir\dir1" $ ./bin/smbcacls -UAdministrator%Passw0rd //10.10.10.14/data "dir\dir1" REVISION:1 CONTROL:SR|DI|DP OWNER:VORDEFINIERT\Administratoren GROUP:WIN2008R2\Domänen-Benutzer ACL:VORDEFINIERT\Administratoren:ALLOWED/0x0/FULL ACL:NT-AUTORITÃT\SYSTEM:ALLOWED/0x0/FULL By changing make_default_filesystem_acl() to only adds user and system ACE to the ACL of objects that lack an ACL xattr, we match Windows behaviour: $ ./bin/smbclient -Uslow%pass //localhost/normal -c "mkdir dir2" $ ./bin/smbcacls -Uslow%pass //localhost/normal "dir2" REVISION:1 CONTROL:SR|DP OWNER:SLOW\slow GROUP:Unix Group\slow ACL:SLOW\slow:ALLOWED/0x0/FULL ACL:NT Authority\SYSTEM:ALLOWED/0x0/FULL Bug: https://bugzilla.samba.org/show_bug.cgi?id=12028 Signed-off-by: Ralph Boehme <[email protected]> Reviewed-by: Jeremy Allison <[email protected]> Autobuild-User(master): Ralph Böhme <[email protected]> Autobuild-Date(master): Tue Jul 19 10:22:05 CEST 2016 on sn-devel-144
