Make refusal of SEC_DESC_DACL_PROTECTED configurable

This adds a parameter "gpfs:refuse_dacl_protected" that defaults to false.

GPFS has no place to store the SEC_DESC_DACL_PROTECTED ACL bit. With this
parameter we give customers an option to either ignore this bit or refuse
setting an ACL with it.

diff --git a/source3/modules/vfs_gpfs.c b/source3/modules/vfs_gpfs.c
index 25eaa4b62fc506141d3b051bc503985c1991ef15..3660bb2d3a085df2df28dfa0b8bfe1c6dfaa9308 100644 (file)
--- a/source3/modules/vfs_gpfs.c
+++ b/source3/modules/vfs_gpfs.c
@@ -446,7 +446,9 @@ static NTSTATUS gpfsacl_set_nt_acl_internal(files_struct *fsp, uint32 security_i
 
        if (acl->acl_version&GPFS_ACL_VERSION_NFS4)
        {
-               if ((psd->type&SEC_DESC_DACL_PROTECTED)) {
+               if (lp_parm_bool(fsp->conn->params->service, "gpfs",
+                                "refuse_dacl_protected", false)
+                   && (psd->type&SEC_DESC_DACL_PROTECTED)) {
                        DEBUG(2, ("Rejecting unsupported ACL with DACL_PROTECTED bit set\n"));
                        return NT_STATUS_NOT_SUPPORTED;
                }