Fix bug #9588 - ACLs are not inherited to directories for DFS shares.

We can return with NT_STATUS_OK in an error code path. This
has a really strange effect in that it prevents the ACL editor
in Windows XP from recursively changing ACE entries on sub-directories
after a change in a DFS-root share (we end up returning a path
that looks like: \\IPV4\share1\xptest/testdir with a mixture
of Windows and POSIX pathname separators).

Signed-off-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
index b6ebaca1a11e0193a1b3a84e873d1650756db223..ccbd89cb00f1f51cb588f98dacc5dad3a1accd97 100644 (file)
--- a/source3/smbd/msdfs.c
+++ b/source3/smbd/msdfs.c
@@ -1000,6 +1000,19 @@ NTSTATUS get_referred_path(TALLOC_CTX *ctx,
        if (!NT_STATUS_EQUAL(status, NT_STATUS_PATH_NOT_COVERED)) {
                DEBUG(3,("get_referred_path: No valid referrals for path %s\n",
                        dfs_path));
+               if (NT_STATUS_IS_OK(status)) {
+                       /*
+                        * We are in an error path here (we
+                        * know it's not a DFS path), but
+                        * dfs_path_lookup() can return
+                        * NT_STATUS_OK. Ensure we always
+                        * return a valid error code.
+                        *
+                        * #9588 - ACLs are not inherited to directories
+                        *         for DFS shares.
+                        */
+                       status = NT_STATUS_NOT_FOUND;
+               }
                goto err_exit;
        }