s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for replicated changes

We only do so if the replicated object is not deleted.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/tests: add SdAutoInheritTests

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug #8621)

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: recalculate nTSecurityDescriptor after a rename (bug #8621)

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: implement DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb: define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: handle DSDB_CONTROL_SEC_DESC_PROPAGATION_OID

This can only be triggered by ourself, that's why we expect
control->data == module.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/schema_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modify

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/repl_meta_data: let DSDB_CONTROL_SEC_DESC_PROPAGATION_OID bypass.

The propagation of nTSecurityDescriptor doesn't change the
replProperyMetaData.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/objectclass_attrs: handle DSDB_CONTROL_SEC_DESC_PROPAGATION_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb: define DSDB_CONTROL_SEC_DESC_PROPAGATION_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/subtree_delete: delete from the leafs to the root (bug #7711)

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711)

Now that the acl module checks for SEC_ADS_DELETE_TREE,
we can do the recursive delete AS_SYSTEM.

We need to pass the TRUSTED flags as we operate from
the TOP module.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/subtree_delete: do an early return and avoid some nesting

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/objectclass: do not pass the callers controls on helper searches

We add AS_SYSTEM and SHOW_RECYCLED to the helper search,
don't let the caller specify additional controls.

This also fixes a problem when the caller also specified AS_SYSTEM.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is given (bug #7711)

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/dirsync: remove unused 'deletedattr' variable

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:provision: add pekList and msDS-ExecuteScriptPassword to @KLUDGEACL

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to DSDB_SECRET_ATTRIBUTES_EX

See [MS-ADTS] 3.1.1.4.4 Extended Access Checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the password attributes

The @KLUDGEACL record might not be uptodate.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: the old nTSecurityDescriptor is always expected there on modify

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: make explicit that we don't support MOD_DELETE on nTSecurityDescriptor

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: remove some nesting from descriptor_modify

If the nTSecurityDescriptor attribute is not specified,
we have nothing to do.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: remove some unnecessary nesting

sd == NULL is checked before.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: add some error checks to descriptor_{add,modify}

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: remove support for unused LDB_CONTROL_RECALCULATE_SD_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: move special dn check to the start of descriptor_{add,modify,rename}

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:samba_upgradeprovision: use the sd_flags:1:15 control with in empty sd

The sd_flags:1:15 control together with an empty security_descriptor
has the same effect as the recalculate_sd:0 control (with is samba only).

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:provision: add get_empty_descriptor()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: if the caller specifies a no DACL/SACL the objects gets a default one

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: give SYSTEM the correct default owner (group) sid

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/acl_read: enable acl checking on search by default (bug #8620)

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptor

We need to base the access mask on the given SD Flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/acl_read: do search for instanceType AS_SYSTEM and with SHOW_RECYCLED

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/acl: calculate the correct access_mask when modifying nTSecurityDescriptor

The access_mask depends on the SD Flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/acl: don't protect confidential attributes with "acl:search = yes"

In that case the acl_read module does the protection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/acl: remove unused "acl:perform" option

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/acl: do helper searches AS_SYSTEM and with SHOW_RECYCLED

The searches are done in order to do access checks
and the results are not directly exposed to the client.

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: make it clear that the SD Flags are ignored on add

See [MS-ADTS] 6.1.3.2 SD Flags Control:
  ...
  When performing an LDAP add operation, the client can supply an SD flags control
  with the operation; however, it will be ignored by the server.
  ...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: make use of dsdb_request_sd_flags()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: always use descriptor_search_callback if we return nTSecurityDescriptor

If the nTSecurityDescriptor is explicitly specified
without the SD Flags control we should go through descriptor_search_callback().

This is not strictly needed at the moment, but makes the code clearer
and might avoid surprises in the future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/descriptor: do searches for nTSecurityDescriptor AS_SYSTEM and with SHOW_RECYCLED

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/acl_util: add dsdb_request_sd_flags() helper function

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/acl_util: do helper searches AS_SYSTEM

The search is done in order to do access checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/extended_dn_store: do helper searches AS_SYSTEM

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/extended_dn_in: do helper searches AS_SYSTEM and with SHOW_RECYCLED

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/objectclass: do helper searches AS_SYSTEM and with SHOW_RECYCLED

Note that SHOW_RECYCLED implies SHOW_DELETED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/rootdse: do helper searches AS_SYSTEM

As anonymous users can read all rootdse attributes,
we should do helper searches with DSDB_FLAG_AS_SYSTEM
in order to avoid unnecessary access checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:tests/samba_tool/gpo.py: add test_show_as_admin()

This calls samba-tool gpo show as admin (which should be able to
see the full nTSecurityDescriptor.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:netcmd/gpo.py: let get_gpo_info explicitly ask for the full ntSecurityDescriptor

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:netcmd/gpo.py: only ask for OWNER/GROUP/DACL when validating the nTSecurityDescriptor

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:netcmd/gpo.py: the nTSecurityDescriptor may not be visible for the current user

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:netcmd/gpo.py: s/ntSecurityDescriptor/nTSecurityDescriptor

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/dirsync: explicitly ask for sdctr->secinfo_flags = 0xF

A value of 0 is mapped to 0xF.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/dirsync: use the correct nc_root to fetch replUpToDateVector

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:dsdb/schema_data: fix debug message in schema_data_modify()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:torture/rpc/handles: try to make all assoc_group tests less flakey

Just incrementing the assoc_group_id makes it too likely to hit
a number that is already in use.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

configure(waf):  Fail "configure --with-ads" if ads support is not available

Fix for bug #9350

This establishes the "auto" mode as default for ads-support, when
neither "--with-ads" nor "--without-ads" is specified for configure.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Nov 23 19:34:55 CET 2012 on sn-devel-104

s3-rpc_client: lookup nametype 0x20 in rpc_pipe_open_tcp_port(). (bug #9426)

The server name type (0x20) is much more likely to be available in the name cache, as
this type gets stored by winbind itself - the primary user of the ncacn_ip_tcp
code currently.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Nov 23 16:30:57 CET 2012 on sn-devel-104

Fix MD5 detection in the autoconf build

This is a front port of patches made in 3.6.x branch for bugs:
* 9037
* 9086
* 9094
* 9418

It checks if there is a library for md5 related functions (libmd or
libmd5) and if so it checks for the presence of md5.h headers it also
respect the need for osX build to not use samba's md5 implementation as
it's already present in the system libs.

Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Nov 23 10:05:34 CET 2012 on sn-devel-104

web_server: Load SWAT if it is available.

Reviewed-by: Matthieu Patou <mat@matws.net>
Autobuild-User(master): Matthieu Patou <mat@samba.org>
Autobuild-Date(master): Fri Nov 23 01:39:38 CET 2012 on sn-devel-104

web_server: the web server is not multi-process, indicate so in WSGI.

This is a requirement for some of the paster middleware used by SWAT2.

Reviewed-by: Matthieu Patou <mat@matws.net>

web_server: Properly decrement reference counters for python objects in wsgi.

Reviewed-by: Matthieu Patou <mat@matws.net>

web_server: Properly set SCRIPT_NAME and PATH_INFO.

Reviewed-by: Matthieu Patou <mat@matws.net>

web_server: Create a string object for SERVER_PORT variable.

This matches the behaviour of other wsgi server implementations.

Reviewed-by: Matthieu Patou <mat@matws.net>

web_server/wsgi: Don't segfault when wsgi app doesn't return iterable.

There is a bug in the application if this happens, but invalid Python
code shouldn't cause segfaults.

Reviewed-by: Matthieu Patou <mat@matws.net>

build: Do not install testing binaries

These binaries are for developer or selftest use, and are not
supported for installation onto the system.  The autoconf build does
not install these binaries, and so neither should the waf build.

Andrew Bartlett

Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Nov 22 12:00:36 CET 2012 on sn-devel-104

packaging: Remove long-gone --disable-merged-build from RHEL-CTDB packaging

Reviewed-by: Andreas Schneider <asn@samba.org>

build: Remove --enable-smbtorture, require bin/smbtorture (from waf) for make test

This simply moves this to being a side-effect of --enable-selftest.

The flag was renamed from --enable-smbtorture4 in a recent patch.

Make test now relies on smbtorture4, and so this code to make the dependency
optional for the tests is not required any more.

Andrew Bartlett

Reviewed-by: Andreas Schneider <asn@samba.org>

build: Be consistent with the name of smbtorture binaries

This ensures that in both build systems, smbtorture3 is the source3 binary, and
smbtoture is our main smbtorture binary, built with waf.

Also included in this is the removal of bin/ndrdump4 as a special case.

This removes the last cases of binaries with different names in
each build system.

Andrew Bartlett

Reviewed-by: Andreas Schneider <asn@samba.org>

torture: remove source3 locktest and masktest

We now just build these in waf, using the source4/torture code.

The source4 versions of these are tested in make test.

Andrew Bartlett

Reviewed-by: Andreas Schneider <asn@samba.org>

build: Use ntlm_auth from source3 as the only ntlm_auth installed on the system

The ntlm_auth4 binary is untested, and is missing major features compared with
the source3 binary.  The two are being slowly merged, but I have not finished
that.

Andrew Bartlett

Reviewed-by: Andreas Schneider <asn@samba.org>

lib/replace: Do not use STRERROR_R_PROTO_COMPATIBLE as only roken.h sets this

Currently, we put strerror_r into libreplace even on systems with strerror_r.

Andrew Bartlett

Reviewed-by: Andreas Schneider <asn@samba.org>

s4/web_server: Fix typo in URL.

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Thu Nov 22 01:37:02 CET 2012 on sn-devel-104

s3:smbd/aio do not mark file modified during reads

this causes each file that is potentially just opened for reading to be
marked as modified and lots of file change notifications will be send

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Tue Nov 20 21:02:34 CET 2012 on sn-devel-104

s3: Fix some blank line endings

Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue Nov 20 19:18:33 CET 2012 on sn-devel-104

librpc/idl: teach ndrdump about dumping security.idl structures

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s3:librpc: add support for PFC_FLAG_OBJECT_UUID when parsing packets (bug #9382)

Now the logic matches the one in dcerpc_read_ncacn_packet_done().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:torture/rpc/handles: try to make the assoc_group test less flakey

Just incrementing the assoc_group_id makes it too likely to hit
a number that is already in use.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s4:torture/rpc/handles: move a torture_comment()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s3:param: set "map archive = no" in ROLE_ACTIVE_DIRECTORY_DC

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

examples: fix build on AIX6

Signed-off-by: Christian Ambach <ambi@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Nov 20 16:06:59 CET 2012 on sn-devel-104

build(waf): fix a typo

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Nov 20 11:54:51 CET 2012 on sn-devel-104

More for #9374 - Allow smb2.acls torture test to pass against smbd with a POSIX ACLs backend.

Change can_delete_directory() to can_delete_directory_fsp(), as
we only ever call this from an open directory file handle.

This allows us to use OpenDir_fsp() instead of OpenDir().
OpenDir() re-checks the ACL on the directory, which may
refuse DIR_LIST permissions. OpenDir_fsp() does not. As
this is a file-server internal check to see if the directory
actually contains any files before setting delete on close,
we can ignore the ACL here (Windows does).

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue Nov 20 01:46:28 CET 2012 on sn-devel-104

Add comments explaining exactly *why* we don't check FILE_READ_ATTRIBUTES when evaluating file/directory ACE's.

If we can access the path to this file, by
default we have FILE_READ_ATTRIBUTES from the
containing directory. See the section.
"Algorithm to Check Access to an Existing File"
in MS-FSA.pdf.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

s3:modules:nfs4_acls remove unused mem_ctx parameter to smbacl4_fill_ace4

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Nov 17 01:11:07 CET 2012 on sn-devel-104

s3:modules:nfs4_acls fix memory hierarchy in smb_create_smb4acl

the ACEs should be talloc children of the ACL itself and not be placed on talloc_tos()

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:vfs_gpfs fix a memory leak in gpfsacl_get_posix_acl

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:vfs_gpfs fix memory corruption in gpfs2smb_acl

sys_acl_init returns a SMB_ACL_T with zero entries in the acl array
reallocate the array to proper size before filling it, otherwise we overwrite memory

This one is a result of a improper fixing in 7a6182962966e5edb42728c8

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:vfs_gpfs fix memory leak in gpfs_get_nfs4_acl

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:vfs_gpfs fix memory leaks in gpfs_getacl_alloc

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool dns: Don't use "localhost" to connect to local host

Calling "samba-tool dns <cmd> localhost" provokes a stacktrace.

This just makes 'samba-tool dns <cmd> localhost' work and doesn't fix
the underlying issue, but I don't see it causing any harm (unless you
don't have an ipv4 localhost, I guess).

Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Nov 16 13:18:14 CET 2012 on sn-devel-104

utils: Remove unused samba-dig tool

Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

dsdb: Make secrets_tdb_sync cope with -H secrets.ldb

The issue was, without a / in the path, we did not cope.

Andrew Bartlett
Reviewed-by: Michael Adam <obnox@samba.org>

s3:param: make init_locals() static.

it is only used in loadparm.c

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Nov 16 03:33:34 CET 2012 on sn-devel-104

s3-param: Handle setting default AD DC per-share settings in init_locals()

This function is helpfully called between when we finish processing
the globals and when we start processing the individual shares.  This
means that the "vfs objects" and other per-share settings we specify
here become the defaults for (eg) [netlogon] and [sysvol] but the
admin can override these on a per-share basis or (as we must in make
test) for the whole server.

This broke setting and fetching of group policy objects from Windows
clients, since this setting was moved from fileserver.conf in
8518dd6406c0132dfd8c44e084c2b39792974f2c, and wasn't found in 'make
test' because we have to override the vfs objects to insert the
xattr_tdb and fake_acl modules.

Andrew Bartlett

Reviewed-by: Michael Adam <obnox@samba.org>

s4:samba-tool: Fix samba-tool fsmo --role=schema

Fix traceback:
samba-tool fsmo --role=schema --force
ERROR(<type 'exceptions.TypeError'>): uncaught exception - argument 2 must be string, not ldb.Dn
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 168, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/fsmo.py", line 160, in run
    self.seize_role(role, samdb, force)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/fsmo.py", line 119, in seize_role
    m.dn = ldb.Dn(samdb, self.schema_dn)

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov 16 00:40:24 CET 2012 on sn-devel-104

samba-tool: Add new samba-tool gpo aclcheck and test

Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Another fix needed for bug #9236 - ACL masks incorrectly applied when setting ACLs.

Not caught by make test as it's an extreme edge case for strange
incoming ACLs. I only found this as I'm making raw.acls and smb2.acls
pass against 3.6.x and 4.0.0 with acl_xattr mapped onto a POSIX backend.

An incoming inheritable ACE entry containing only one permission,
WRITE_DATA maps into a POSIX owner perm of "-w-", which violates
the principle that the owner of a file/directory can always read.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Nov 15 19:52:52 CET 2012 on sn-devel-104