</listitem>
</varlistentry>
+ <varlistentry>
+ <term>zfsacl:map_dacl_protected = [yes|no]</term>
+ <listitem>
+ <para>If enabled and the ZFS ACL on the underlying filesystem does not contain
+ any inherited access control entires, then set the SEC_DESC_DACL_PROTECTED flag
+ on the Security Descriptor returned to SMB clients.
+ This ensures correct Windows client behavior when disabling inheritance on
+ directories.</para>
+
+ <para>Following is the behaviour of Samba for different values : </para>
+ <itemizedlist>
+ <listitem><para><command>yes</command> - Enable mapping to
+ SEC_DESC_DACL_PROTECTED</para></listitem>
+ <listitem><para><command>no (default)</command></para></listitem>
+ </itemizedlist>
+ </listitem>
+ </varlistentry>
+
+
</variablelist>
</refsect1>
struct zfsacl_config_data {
struct smbacl4_vfs_params nfs4_params;
+ bool zfsacl_map_dacl_protected;
bool zfsacl_denymissingspecial;
};
SMB_STRUCT_STAT sbuf;
const SMB_STRUCT_STAT *psbuf = NULL;
int ret;
+ bool inherited_is_present = false;
bool is_dir;
if (VALID_STAT(smb_fname->st)) {
aceprop.aceMask |= SMB_ACE4_DELETE_CHILD;
}
+#ifdef ACE_INHERITED_ACE
+ if (aceprop.aceFlags & ACE_INHERITED_ACE) {
+ inherited_is_present = true;
+ }
+#endif
if(aceprop.aceFlags & ACE_OWNER) {
aceprop.flags = SMB_ACE4_ID_SPECIAL;
aceprop.who.special_id = SMB_ACE4_WHO_OWNER;
return NT_STATUS_NO_MEMORY;
}
+#ifdef ACE_INHERITED_ACE
+ if (!inherited_is_present && config->zfsacl_map_dacl_protected) {
+ DBG_DEBUG("Setting SEC_DESC_DACL_PROTECTED on [%s]\n",
+ smb_fname_str_dbg(smb_fname));
+ smbacl4_set_controlflags(pacl,
+ SEC_DESC_DACL_PROTECTED |
+ SEC_DESC_SELF_RELATIVE);
+ }
+#endif
*ppacl = pacl;
return NT_STATUS_OK;
}
return -1;
}
+ config->zfsacl_map_dacl_protected = lp_parm_bool(SNUM(handle->conn),
+ "zfsacl", "map_dacl_protected", false);
+
config->zfsacl_denymissingspecial = lp_parm_bool(SNUM(handle->conn),
"zfsacl", "denymissingspecial", false);
git.samba.org / samba.git / commitdiff