The branch, v4-18-stable has been updated
via 897e67a7cf8 VERSION: Disable GIT_SNAPSHOT for the 4.18.3 release.
via f988fcf671d WHATSNEW: Add release notes for Samba 4.18.3.
via af9dc206043 smbd: also reset struct stat_ex.cached_dos_attributes
in SET_STAT_INVALID()
via 09ea170e3b4 smbd: zero intialize SMB_STRUCT_STAT in
vfswrap_readdir()
via 5865388ede8 CI: add a test that checks the dosmode of symlinks
via 6dfa2252fd3 vfs_fruit: add fruit:convert_adouble parameter
via 5c5ab78d93d vfs_fruit: just log failing AppleDouble conversion
via 0db5f559d0e libadouble: allow FILE_SHARE_DELETE in
ad_convert_xattr()
via fe988c71379 vfs_fruit: never return AFP_Resource stream for
directories
via 051cd8f5915 vfs_fruit: return ENOENT instead of EISDIR when trying
to open AFP_Resource for a directory
via 976b4955570 CI: add a test for fruit AppleDouble conversion when
deletion triggers conversion
via a22173a745e rpc_server3: Pass winbind_env_set() state through to
rpcd_*
via faa507637e5 lib: Add security_token_del_npa_flags() helper function
via ec0c93199b9 rpc: Remove named_pipe_auth_req_info6->need_idle_server
via e92fb837630 rpc_server3: Use global_sid_Samba_NPA_Flags to pass
"need_idle"
via e46af7b3322 named_pipe_auth: Bump info5 to info6
via 5a09eaf01ac rpc: Add global_sid_Samba_NPA_Flags SID
via 40378826afb librpc: Simplify dcerpc_is_transport_encrypted()
via dc2606e10e1 smbd: Use security_token_count_flag_sids() in
open_np_file()
via 8ed6bbcb555 libcli: Add security_token_count_flag_sids()
via 74449f2afcc samba-tool domain: Run in interactive mode if no args
are supplied
via cae050cf785 librpc/rpc: allow smb3_sid_parse() to accept modern
encryption algorithms
via 0f1dbe552dc winbind: Fix "wbinfo -u" on a Samba AD DC with >1000
users
via 97c9f812fa9 winbind: Test wbinfo -u with more than 1000 users
via 128a80758fd s3:locking: fix debug level for NT_STATUS_NOT_FOUND
messanges in get_static_share_mode_data
via 1ace31bc878 dsgetdcname: do not assume local system uses IPv4
via 49777b08ac2 s3:lib: Do not try to match '.' and '..' directories in
is_in_path()
via c09c3f8e38a s3:tests: Add test that veto files works for hidden
files
via a26cbb56b5b s3:tests: Create a temporary directory for
test_veto_files.sh
via 2a20fbdbd78 libcli/security: rewrite
calculate_inherited_from_parent()
via c4f24bac692 VERSION: Bump version up to Samba 4.18.3...
from 4f9b36a6156 VERSION: Disable GIT_SNAPSHOT for the 4.18.2 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 65 +-
docs-xml/manpages/vfs_fruit.8.xml | 13 +
libcli/named_pipe_auth/npa_tstream.c | 144 ++--
libcli/named_pipe_auth/npa_tstream.h | 4 +-
libcli/security/create_descriptor.c | 247 +++++--
libcli/security/dom_sid.h | 4 +
libcli/security/security_token.c | 36 +
libcli/security/security_token.h | 9 +
libcli/security/util_sid.c | 7 +
librpc/idl/named_pipe_auth.idl | 9 +-
librpc/rpc/dcerpc_helper.c | 32 +-
librpc/rpc/dcesrv_core.c | 17 +
librpc/rpc/dcesrv_core.h | 1 +
python/samba/netcmd/domain.py | 2 +-
selftest/target/Samba3.pm | 4 +
source3/include/proto.h | 3 +
source3/include/smb_macros.h | 5 +-
source3/lib/adouble.c | 2 +-
source3/lib/util.c | 5 +
source3/lib/util_sid.c | 34 +
source3/librpc/idl/rpc_host.idl | 2 +-
source3/libsmb/dsgetdcname.c | 49 +-
source3/locking/share_mode_lock.c | 2 +-
source3/modules/vfs_default.c | 2 +-
source3/modules/vfs_fruit.c | 48 +-
source3/rpc_client/local_np.c | 105 ++-
source3/rpc_server/rpc_host.c | 115 +--
source3/rpc_server/rpc_worker.c | 112 +--
source3/script/tests/test_symlink_dosmode.sh | 74 ++
source3/script/tests/test_veto_files.sh | 35 +-
source3/script/tests/test_wbinfo_u_large_ad.sh | 28 +
source3/selftest/tests.py | 4 +
source3/smbd/smb2_pipes.c | 23 +-
source3/winbindd/winbindd_samr.c | 102 +--
source4/selftest/tests.py | 5 +
source4/torture/vfs/fruit.c | 954 +++++++++++++++++++++++++
37 files changed, 1934 insertions(+), 371 deletions(-)
create mode 100755 source3/script/tests/test_symlink_dosmode.sh
create mode 100755 source3/script/tests/test_wbinfo_u_large_ad.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 8ee63d62b28..93ebe2430aa 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=18
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index bfad04cbde0..01c121a8e48 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,65 @@
+ ==============================
+ Release Notes for Samba 4.18.3
+ May 31, 2023
+ ==============================
+
+
+This is the latest stable release of the Samba 4.18 release series.
+
+
+Changes since 4.18.2
+--------------------
+
+o Ralph Boehme <s...@samba.org>
+ * BUG 15375: Symlinks to files can have random DOS mode information in a
+ directory listing.
+ * BUG 15378: vfs_fruit might cause a failing open for delete.
+
+o Volker Lendecke <v...@samba.org>
+ * BUG 15361: winbind recurses into itself via rpcd_lsad.
+ * BUG 15366: wbinfo -u fails on ad dc with >1000 users.
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 15338: DS ACEs might be inherited to unrelated object classes.
+ * BUG 15362: a lot of messages: get_static_share_mode_data:
+ get_static_share_mode_data_fn failed: NT_STATUS_NOT_FOUND.
+ * BUG 15374: aes256 smb3 encryption algorithms are not allowed in
+ smb3_sid_parse().
+
+o Andreas Schneider <a...@samba.org>
+ * BUG 15360: Setting veto files = /.*/ break listing directories.
+
+o Joseph Sutton <josephsut...@catalyst.net.nz>
+ * BUG 15363: "samba-tool domain provision" does not run interactive mode if
+ no arguments are given.
+
+o Nathaniel W. Turner <ntur...@exagrid.com>
+ * BUG 15325: dsgetdcname: assumes local system uses IPv4.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.18.2
April 19, 2023
@@ -70,8 +132,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.18.1
March 29, 2023
diff --git a/docs-xml/manpages/vfs_fruit.8.xml
b/docs-xml/manpages/vfs_fruit.8.xml
index 6950898a7d1..2215f031312 100644
--- a/docs-xml/manpages/vfs_fruit.8.xml
+++ b/docs-xml/manpages/vfs_fruit.8.xml
@@ -406,6 +406,19 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>fruit:convert_adouble = yes | no</term>
+ <listitem>
+ <para>Whether an attempt shall be made to convert ._ AppleDouble
+ sidecar files to native streams (xattrs when using
+ vfs_streams_xattr). The main use case for this conversion is
+ transparent migration from a server config without streams support
+ where the macOS client created those AppleDouble sidecar
+ files.</para>
+ <para>The default is <emphasis>yes</emphasis>.</para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/libcli/named_pipe_auth/npa_tstream.c
b/libcli/named_pipe_auth/npa_tstream.c
index 506c4a35681..f84440fe755 100644
--- a/libcli/named_pipe_auth/npa_tstream.c
+++ b/libcli/named_pipe_auth/npa_tstream.c
@@ -73,7 +73,7 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX
*mem_ctx,
int ret;
enum ndr_err_code ndr_err;
char *lower_case_npipe;
- struct named_pipe_auth_req_info5 *info5;
+ struct named_pipe_auth_req_info7 *info7;
req = tevent_req_create(mem_ctx, &state,
struct tstream_npa_connect_state);
@@ -119,39 +119,43 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX
*mem_ctx,
goto post;
}
- state->auth_req.level = 5;
- info5 = &state->auth_req.info.info5;
+ state->auth_req.level = 7;
+ info7 = &state->auth_req.info.info7;
- info5->transport = transport;
- SMB_ASSERT(info5->transport == transport); /* Assert no overflow */
+ info7->transport = transport;
+ SMB_ASSERT(info7->transport == transport); /* Assert no overflow */
- info5->remote_client_name = remote_client_name_in;
- info5->remote_client_addr =
tsocket_address_inet_addr_string(remote_client_addr,
- state);
- if (!info5->remote_client_addr) {
+ info7->remote_client_name = remote_client_name_in;
+ info7->remote_client_addr =
+ tsocket_address_inet_addr_string(remote_client_addr, state);
+ if (!info7->remote_client_addr) {
/* errno might be EINVAL */
tevent_req_error(req, errno);
goto post;
}
- info5->remote_client_port =
tsocket_address_inet_port(remote_client_addr);
- if (!info5->remote_client_name) {
- info5->remote_client_name = info5->remote_client_addr;
+ info7->remote_client_port =
+ tsocket_address_inet_port(remote_client_addr);
+ if (!info7->remote_client_name) {
+ info7->remote_client_name = info7->remote_client_addr;
}
- info5->local_server_name = local_server_name_in;
- info5->local_server_addr =
tsocket_address_inet_addr_string(local_server_addr,
- state);
- if (!info5->local_server_addr) {
+ info7->local_server_name = local_server_name_in;
+ info7->local_server_addr =
+ tsocket_address_inet_addr_string(local_server_addr, state);
+ if (!info7->local_server_addr) {
/* errno might be EINVAL */
tevent_req_error(req, errno);
goto post;
}
- info5->local_server_port = tsocket_address_inet_port(local_server_addr);
- if (!info5->local_server_name) {
- info5->local_server_name = info5->local_server_addr;
+ info7->local_server_port =
+ tsocket_address_inet_port(local_server_addr);
+ if (!info7->local_server_name) {
+ info7->local_server_name = info7->local_server_addr;
}
- info5->session_info = discard_const_p(struct
auth_session_info_transport, session_info);
+ info7->session_info =
+ discard_const_p(struct auth_session_info_transport,
+ session_info);
if (DEBUGLVL(10)) {
NDR_PRINT_DEBUG(named_pipe_auth_req, &state->auth_req);
@@ -348,10 +352,10 @@ int _tstream_npa_connect_recv(struct tevent_req *req,
npas->unix_stream = talloc_move(stream, &state->unix_stream);
switch (state->auth_rep.level) {
- case 5:
- npas->file_type = state->auth_rep.info.info5.file_type;
- device_state = state->auth_rep.info.info5.device_state;
- allocation_size = state->auth_rep.info.info5.allocation_size;
+ case 7:
+ npas->file_type = state->auth_rep.info.info7.file_type;
+ device_state = state->auth_rep.info.info7.device_state;
+ allocation_size = state->auth_rep.info.info7.allocation_size;
break;
}
@@ -1084,7 +1088,7 @@ static void tstream_npa_accept_existing_reply(struct
tevent_req *subreq)
tevent_req_data(req, struct tstream_npa_accept_state);
struct named_pipe_auth_req *pipe_request;
struct named_pipe_auth_rep pipe_reply;
- struct named_pipe_auth_req_info5 i5;
+ struct named_pipe_auth_req_info7 i7;
enum ndr_err_code ndr_err;
DATA_BLOB in, out;
int err;
@@ -1147,53 +1151,59 @@ static void tstream_npa_accept_existing_reply(struct
tevent_req *subreq)
NDR_PRINT_DEBUG(named_pipe_auth_req, pipe_request);
}
- ZERO_STRUCT(i5);
+ ZERO_STRUCT(i7);
- if (pipe_request->level != 5) {
+ if (pipe_request->level != 7) {
DEBUG(0, ("Unknown level %u\n", pipe_request->level));
pipe_reply.level = 0;
pipe_reply.status = NT_STATUS_INVALID_LEVEL;
goto reply;
}
- pipe_reply.level = 5;
+ pipe_reply.level = 7;
pipe_reply.status = NT_STATUS_OK;
- pipe_reply.info.info5.file_type = state->file_type;
- pipe_reply.info.info5.device_state = state->device_state;
- pipe_reply.info.info5.allocation_size = state->alloc_size;
+ pipe_reply.info.info7.file_type = state->file_type;
+ pipe_reply.info.info7.device_state = state->device_state;
+ pipe_reply.info.info7.allocation_size = state->alloc_size;
- i5 = pipe_request->info.info5;
- if (i5.local_server_addr == NULL) {
+ i7 = pipe_request->info.info7;
+ if (i7.local_server_addr == NULL) {
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
DEBUG(2, ("Missing local server address\n"));
goto reply;
}
- if (i5.remote_client_addr == NULL) {
+ if (i7.remote_client_addr == NULL) {
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
DEBUG(2, ("Missing remote client address\n"));
goto reply;
}
- ret = tsocket_address_inet_from_strings(state, "ip",
- i5.local_server_addr,
- i5.local_server_port,
+ ret = tsocket_address_inet_from_strings(state,
+ "ip",
+ i7.local_server_addr,
+ i7.local_server_port,
&state->local_server_addr);
if (ret != 0) {
- DEBUG(2, ("Invalid local server address[%s:%u] - %s\n",
- i5.local_server_addr, i5.local_server_port,
- strerror(errno)));
+ DEBUG(2,
+ ("Invalid local server address[%s:%u] - %s\n",
+ i7.local_server_addr,
+ i7.local_server_port,
+ strerror(errno)));
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
goto reply;
}
- ret = tsocket_address_inet_from_strings(state, "ip",
- i5.remote_client_addr,
- i5.remote_client_port,
+ ret = tsocket_address_inet_from_strings(state,
+ "ip",
+ i7.remote_client_addr,
+ i7.remote_client_port,
&state->remote_client_addr);
if (ret != 0) {
- DEBUG(2, ("Invalid remote client address[%s:%u] - %s\n",
- i5.remote_client_addr, i5.remote_client_port,
- strerror(errno)));
+ DEBUG(2,
+ ("Invalid remote client address[%s:%u] - %s\n",
+ i7.remote_client_addr,
+ i7.remote_client_port,
+ strerror(errno)));
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
goto reply;
}
@@ -1249,14 +1259,15 @@ static void tstream_npa_accept_existing_done(struct
tevent_req *subreq)
tevent_req_done(req);
}
-static struct named_pipe_auth_req_info5 *copy_npa_info5(
- TALLOC_CTX *mem_ctx, const struct named_pipe_auth_req_info5 *src)
+static struct named_pipe_auth_req_info7 *
+copy_npa_info7(TALLOC_CTX *mem_ctx,
+ const struct named_pipe_auth_req_info7 *src)
{
- struct named_pipe_auth_req_info5 *dst = NULL;
+ struct named_pipe_auth_req_info7 *dst = NULL;
DATA_BLOB blob;
enum ndr_err_code ndr_err;
- dst = talloc_zero(mem_ctx, struct named_pipe_auth_req_info5);
+ dst = talloc_zero(mem_ctx, struct named_pipe_auth_req_info7);
if (dst == NULL) {
return NULL;
}
@@ -1265,9 +1276,9 @@ static struct named_pipe_auth_req_info5 *copy_npa_info5(
&blob,
dst,
src,
- (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req_info5);
+ (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req_info7);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DBG_WARNING("ndr_push_named_pipe_auth_req_info5 failed: %s\n",
+ DBG_WARNING("ndr_push_named_pipe_auth_req_info7 failed: %s\n",
ndr_errstr(ndr_err));
TALLOC_FREE(dst);
return NULL;
@@ -1277,10 +1288,10 @@ static struct named_pipe_auth_req_info5 *copy_npa_info5(
&blob,
dst,
dst,
- (ndr_pull_flags_fn_t)ndr_pull_named_pipe_auth_req_info5);
+ (ndr_pull_flags_fn_t)ndr_pull_named_pipe_auth_req_info7);
TALLOC_FREE(blob.data);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DBG_WARNING("ndr_push_named_pipe_auth_req_info5 failed: %s\n",
+ DBG_WARNING("ndr_push_named_pipe_auth_req_info7 failed: %s\n",
ndr_errstr(ndr_err));
TALLOC_FREE(dst);
return NULL;
@@ -1294,7 +1305,7 @@ int _tstream_npa_accept_existing_recv(
int *perrno,
TALLOC_CTX *mem_ctx,
struct tstream_context **stream,
- struct named_pipe_auth_req_info5 **info5,
+ struct named_pipe_auth_req_info7 **info7,
enum dcerpc_transport_t *transport,
struct tsocket_address **remote_client_addr,
char **_remote_client_name,
@@ -1305,7 +1316,8 @@ int _tstream_npa_accept_existing_recv(
{
struct tstream_npa_accept_state *state =
tevent_req_data(req, struct tstream_npa_accept_state);
- struct named_pipe_auth_req_info5 *i5 = &state->pipe_request->info.info5;
+ struct named_pipe_auth_req_info7 *i7 =
+ &state->pipe_request->info.info7;
struct tstream_npa *npas;
int ret;
@@ -1346,24 +1358,24 @@ int _tstream_npa_accept_existing_recv(
npas->unix_stream = state->plain;
npas->file_type = state->file_type;
- if (info5 != NULL) {
+ if (info7 != NULL) {
/*
- * Make a full copy of "info5" because further down we
+ * Make a full copy of "info7" because further down we
* talloc_move() away substructures from
* state->pipe_request.
*/
- struct named_pipe_auth_req_info5 *dst = copy_npa_info5(
- mem_ctx, i5);
+ struct named_pipe_auth_req_info7 *dst =
+ copy_npa_info7(mem_ctx, i7);
if (dst == NULL) {
*perrno = ENOMEM;
tevent_req_received(req);
return -1;
}
- *info5 = dst;
+ *info7 = dst;
}
if (transport != NULL) {
- *transport = i5->transport;
+ *transport = i7->transport;
}
if (remote_client_addr != NULL) {
*remote_client_addr = talloc_move(
@@ -1371,7 +1383,8 @@ int _tstream_npa_accept_existing_recv(
}
if (_remote_client_name != NULL) {
*_remote_client_name = discard_const_p(
- char, talloc_move(mem_ctx, &i5->remote_client_name));
+ char,
+ talloc_move(mem_ctx, &i7->remote_client_name));
}
if (local_server_addr != NULL) {
*local_server_addr = talloc_move(
@@ -1379,10 +1392,11 @@ int _tstream_npa_accept_existing_recv(
}
if (local_server_name != NULL) {
*local_server_name = discard_const_p(
- char, talloc_move(mem_ctx, &i5->local_server_name));
+ char,
+ talloc_move(mem_ctx, &i7->local_server_name));
}
if (session_info != NULL) {
- *session_info = talloc_move(mem_ctx, &i5->session_info);
+ *session_info = talloc_move(mem_ctx, &i7->session_info);
}
tevent_req_received(req);
diff --git a/libcli/named_pipe_auth/npa_tstream.h
b/libcli/named_pipe_auth/npa_tstream.h
index 1d7e93dc0fa..ebb6d16e428 100644
--- a/libcli/named_pipe_auth/npa_tstream.h
+++ b/libcli/named_pipe_auth/npa_tstream.h
@@ -27,7 +27,7 @@ struct tevent_req;
struct tevent_context;
struct auth_session_info_transport;
struct tsocket_address;
-struct named_pipe_auth_req_info5;
+struct named_pipe_auth_req_info7;
struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
@@ -114,7 +114,7 @@ int _tstream_npa_accept_existing_recv(
int *perrno,
TALLOC_CTX *mem_ctx,
struct tstream_context **stream,
- struct named_pipe_auth_req_info5 **info5,
+ struct named_pipe_auth_req_info7 **info7,
enum dcerpc_transport_t *transport,
struct tsocket_address **remote_client_addr,
char **_remote_client_name,
diff --git a/libcli/security/create_descriptor.c
b/libcli/security/create_descriptor.c
index ef60d847033..947d6c19d58 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -78,7 +78,7 @@ uint32_t map_generic_rights_ds(uint32_t access_mask)
/* Not sure what this has to be,
* and it does not seem to have any influence */
-static bool object_in_list(struct GUID *object_list, struct GUID *object)
+static bool object_in_list(const struct GUID *object_list, const struct GUID
*object)
{
size_t i;
@@ -107,7 +107,7 @@ static bool object_in_list(struct GUID *object_list, struct
GUID *object)
/* returns true if the ACE gontains generic information
* that needs to be processed additionally */
-static bool desc_ace_has_generic(struct security_ace *ace)
+static bool desc_ace_has_generic(const struct security_ace *ace)
{
if (ace->access_mask & SEC_GENERIC_ALL || ace->access_mask &
SEC_GENERIC_READ ||
ace->access_mask & SEC_GENERIC_WRITE || ace->access_mask &
SEC_GENERIC_EXECUTE) {
@@ -155,12 +155,114 @@ static struct security_acl
*calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
}
for (i=0; i < acl->num_aces; i++) {
- struct security_ace *ace = &acl->aces[i];
- if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) ||
- (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
- struct GUID inherited_object = GUID_zero();
+ const struct security_ace *ace = &acl->aces[i];
+ const struct GUID *inherited_object = NULL;
+ const struct GUID *inherited_property = NULL;
+ struct security_ace *tmp_ace = NULL;
+ bool applies = false;
+ bool inherited_only = false;
+ bool expand_ace = false;
+ bool expand_only = false;
+
+ if (is_container && (ace->flags &
SEC_ACE_FLAG_CONTAINER_INHERIT)) {
+ applies = true;
+ } else if (!is_container && (ace->flags &
SEC_ACE_FLAG_OBJECT_INHERIT)) {
+ applies = true;
+ }
+
+ if (!applies) {
+ /*
+ * If the ace doesn't apply to the
+ * current node, we should only keep
+ * it as SEC_ACE_FLAG_OBJECT_INHERIT
+ * on a container. We'll add
+ * SEC_ACE_FLAG_INHERITED_ACE
+ * and SEC_ACE_FLAG_INHERIT_ONLY below.
+ *
+ * Otherwise we should completely ignore it.
+ */
+ if (!(ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
+ continue;
+ }
+ }
+
--
Samba Shared Repository
