samba - Feb 2008 - Inheritable Permissions Issue

I have a Centos 3 server running Samba 3.0.28.  It's a member of an AD
domain on a Windows Server 2003 R2 Standard x64 SP2 box.  From the
W2K3 server I can see the samba share I created.  Using the Security
tab in the Windows Explorer file properties dialog I can add and
remove users and change their permissions.  However, in the
Permissions tab of the Advanced Security Settings dialog, whenever I
uncheck the "Allow inheritable permissions from the parent to
propagate to this object and all child objects" checkbox, and hit
Apply, the checkbox always returns to the checked state immediately.
It is never possible to get it into an unchecked state. Is this the
expected behavior?

I have mounted the exported filesystem with the acl and user_xattr
attributes, and I've compiled samba with ads, acl, and xattr support.

Here are the settings for the share in question:

[voltest]
        comment = Volume Test
        path = /home/voltest
        admin users = DOMAINNAME\administrator
        read only = No
        inherit acls = Yes
        map acl inherit = Yes
        store dos attributes = Yes

Though the "inheritable permissions" checkbox stays checked, I
*sometimes* see that the user.SAMBA_PAI attribute is getting set:

$ getfattr -d /home/voltest/test_folder/foo.doc
getfattr: Removing leading '/' from absolute path names
# file: home/voltest/test_folder/foo.doc
user.DOSATTRIB="0x20"
user.SAMBA_PAI=0sAQACAAAAABAnAAABHycAAA=
Often, though, it's not set at all.

Thanks in advance for your help.

-David

-- 
David Eisner     http://cradle.brokenglass.com

On Thu, Feb 28, 2008 at 6:51 PM, David Eisner <deisner@gmail.com> wrote:
>  Permissions tab of the Advanced Security Settings dialog, whenever I
>  uncheck the "Allow inheritable permissions from the parent to
>  propagate to this object and all child objects" checkbox, and hit
>  Apply, the checkbox always returns to the checked state immediately.
>  It is never possible to get it into an unchecked state. Is this the
>  expected behavior?

Just an update.  I've been peering through the code trying to debug
this problem.  Here's what I've learned so far:

1. The value represented by the "inheritable permissions" checkbox is
stored in the security descriptor's SE_DACL_PROTECTED control flag.
[1]  In the Samba code, these flags are stored in the SEC_DESC
struct's "type" member.

2. set_nt_acl() (in smbd/posix_acls.c) is responsible for handling the
request to set the security descriptor on the file.  Among other
things, it calls append_parent_acl().  This function is clobbering the
SE_DESC_DACL_PROTECTED bit in psd->type.  It has the correct value
before the call, but it winds up getting cleared.

3. I see this comment inside append_parent_acl():

    /*
     * Note that we're ignoring "inherit permissions" here
     * as that really only applies to newly created files. JRA.
     */

Is this a bug?

I'll take a look at what's in git and do some more research.

-David

[1] http://tinyurl.com/2pt7nh


-- 
David Eisner     http://cradle.brokenglass.com