s3:smbd: ignore dacls with MS NFS ACEs

Ignore NFS ACEs in code the modifies
* default POSIX ACLs
* VFS: NFSv4 ACLs
* VFS: xattr and tdb ACLs

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index cf61af90c5f0d05492997dd25fe756cbc7fd057d..1aa819a34f92a35ff38d63a1809f86450dc6a983 100644 (file)
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -778,6 +778,9 @@ static bool smbacl4_fill_ace4(
                        ace_v4->who.gid = gid;
                } else if (sid_to_uid(&ace_nt->trustee, &uid)) {
                        ace_v4->who.uid = uid;
+               } else if (dom_sid_compare_domain(&ace_nt->trustee,
+                                                 &global_sid_Unix_NFS) == 0) {
+                       return false;
                } else {
                        DEBUG(1, ("nfs4_acls.c: file [%s]: could not "
                                  "convert %s to uid or gid\n",

diff --git a/source3/modules/vfs_acl_common.c b/source3/modules/vfs_acl_common.c
index b749157ef3d672d305d4599c247586964951a7c5..920c811de5e57494ab84a1f6d9a2e5ee31d072f1 100644 (file)
--- a/source3/modules/vfs_acl_common.c
+++ b/source3/modules/vfs_acl_common.c
@@ -775,6 +775,15 @@ static NTSTATUS fset_nt_acl_common(vfs_handle_struct *handle, files_struct *fsp,
                psd->group_sid = orig_psd->group_sid;
        }
        if (security_info_sent & SECINFO_DACL) {
+               if (security_descriptor_with_ms_nfs(orig_psd)) {
+                       /*
+                        * If the sd contains a MS NFS SID, do
+                        * nothing, it's a chmod() request from OS X
+                        * with AAPL context.
+                        */
+                       TALLOC_FREE(frame);
+                       return NT_STATUS_OK;
+               }
                psd->dacl = orig_psd->dacl;
                psd->type |= SEC_DESC_DACL_PRESENT;
        }

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 126b822439a448676110b8c06487d996369083a6..6a5ec859884fa8c3469dbc9af5319bd1a9dfbc31 100644 (file)
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -3666,6 +3666,16 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const struct s
                return NT_STATUS_INVALID_PARAMETER;
        }
 
+       /*
+        * MS NFS mode, here's the deal: the client merely wants to
+        * modify the mode, but roundtripping get_acl/set/acl would
+        * add additional POSIX ACEs.  So in case we get a request
+        * containing a MS NFS mode SID, we do nothing here.
+        */
+       if (security_descriptor_with_ms_nfs(psd_orig)) {
+               return NT_STATUS_OK;
+       }
+
        psd = security_descriptor_copy(talloc_tos(), psd_orig);
        if (psd == NULL) {
                return NT_STATUS_NO_MEMORY;