s3:nfs4acls filter away inheritance flags on files

While it is possible to define inheritance flags on files on Windows, this will
be denied by GPFS and UFS (and potentially others).

So it will be better to strip of these bits when being set for files instead of
failing to set the ACL completely (this is current behavior).

Users that want to retain the full SD will have to use acl_xattr (acl_tdb), as
other pieces of the SD are also lost when translating to NFSv4. So this should
not be a too intrusive change, but allow users to migrate data with such flags
instead of failing to migrate the ACL completely.

diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index cc3480c2e147989b2dbab0d658db9bee11315cbf..b4fd51451f1ebef8a23fb674a5b4192fba2ac90c 100644 (file)
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -592,6 +592,17 @@ static bool smbacl4_fill_ace4(
 
        ace_v4->aceFlags = map_windows_ace_flags_to_nfs4_ace_flags(
                ace_nt->flags);
+
+       /* remove inheritance flags on files */
+       if (VALID_STAT(fsp->fsp_name->st) &&
+           !S_ISDIR(fsp->fsp_name->st.st_ex_mode)) {
+               DEBUG(10, ("Removing inheritance flags from a file\n"));
+               ace_v4->aceFlags &= ~(SMB_ACE4_FILE_INHERIT_ACE|
+                                     SMB_ACE4_DIRECTORY_INHERIT_ACE|
+                                     SMB_ACE4_NO_PROPAGATE_INHERIT_ACE|
+                                     SMB_ACE4_INHERIT_ONLY_ACE);
+       }
+
        ace_v4->aceMask = ace_nt->access_mask &
                (SEC_STD_ALL | SEC_FILE_ALL);