Fix bug #9588 - ACLs are not inherited to directories for DFS shares.

We can return with NT_STATUS_OK in an error code path. This
has a really strange effect in that it prevents the ACL editor
in Windows XP from recursively changing ACE entries on sub-directories
after a change in a DFS-root share (we end up returning a path
that looks like: \\IPV4\share1\xptest/testdir with a mixture
of Windows and POSIX pathname separators).

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Mon Jan 28 13:48:13 CET 2013 on sn-devel-104

diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
index 4bf7aba34ae5ed2251853f1d52f2b295e46a21eb..5388db9147f32c6b58360cd3d0cb331189dbddb3 100644 (file)
--- a/source3/smbd/msdfs.c
+++ b/source3/smbd/msdfs.c
@@ -1031,6 +1031,19 @@ NTSTATUS get_referred_path(TALLOC_CTX *ctx,
        if (!NT_STATUS_EQUAL(status, NT_STATUS_PATH_NOT_COVERED)) {
                DEBUG(3,("get_referred_path: No valid referrals for path %s\n",
                        dfs_path));
+               if (NT_STATUS_IS_OK(status)) {
+                       /*
+                        * We are in an error path here (we
+                        * know it's not a DFS path), but
+                        * dfs_path_lookup() can return
+                        * NT_STATUS_OK. Ensure we always
+                        * return a valid error code.
+                        *
+                        * #9588 - ACLs are not inherited to directories
+                        *         for DFS shares.
+                        */
+                       status = NT_STATUS_NOT_FOUND;
+               }
                goto err_exit;
        }