6 files changed, 41 insertions, 1 deletions

diff --git a/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml b/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml
new file mode 100644
index 00000000000..676d5b478a3
--- /dev/null
+++ b/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml
@@ -0,0 +1,30 @@
+<samba:parameter name="acl flag inherited canonicalization"
+                 context="S"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls the way Samba handles client requests setting
+	the Security Descriptor of files and directories and the effect the
+	operation has on the Security Descriptor flag &quot;DACL
+	auto-inherited&quot; (DI). Generally, this flag is set on a file (or
+	directory) upon creation if the parent directory has DI set and also has
+	inheritable ACEs.
+	</para>
+
+	<para>On the other hand when a Security Descriptor is explicitly set on
+	a file, the DI flag is cleared, unless the flag &quot;DACL Inheritance
+	Required&quot; (DR) is also set in the new Security Descriptor (fwiw, DR is
+	never stored on disk).</para>
+
+	<para>This is the default behaviour when this option is enabled (the
+	default). When setting this option to <command>no</command>, the
+	resulting value of the DI flag on-disk is directly taken from the DI
+	value of the to-be-set Security Descriptor. This can be used so dump
+	tools like rsync that copy data blobs from xattrs that represent ACLs
+	created by the acl_xattr VFS module will result in copies of the ACL
+	that are identical to the source. Without this option, the copied ACLs
+	would all loose the DI flag if set on the source.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index b674858e706..54920b85027 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2960,6 +2960,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 				  "smbd max xattr size",
 				  "65536");
 
+	lpcfg_do_global_parameter(lp_ctx,
+				  "acl flag inherited canonicalization",
+				  "yes");
+
 	for (i = 0; parm_table[i].label; i++) {
 		if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
 			lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/selftest/knownfail.d/samba3.smb2.acls_non_canonical b/selftest/knownfail.d/samba3.smb2.acls_non_canonical
deleted file mode 100644
index b3ebece42be..00000000000
--- a/selftest/knownfail.d/samba3.smb2.acls_non_canonical
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smb2.acls_non_canonical.flags.*
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 5143eda4194..84d3fd362ec 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -3070,6 +3070,7 @@ sub provision($$)
 
 [acls_non_canonical]
 	copy = tmp
+	acl flag inherited canonicalization = no
 	";
 
 	close(CONF);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 85e578eda9e..d3b9de4a09a 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -240,6 +240,7 @@ static const struct loadparm_service _sDefault =
 	.acl_map_full_control = true,
 	.acl_group_control = false,
 	.acl_allow_execute_always = false,
+	.acl_flag_inherited_canonicalization = true,
 	.aio_read_size = 1,
 	.aio_write_size = 1,
 	.map_readonly = MAP_READONLY_NO,
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 50e0a5f2f01..00f551595d7 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -965,6 +965,11 @@ static void canonicalize_inheritance_bits(struct files_struct *fsp,
 	 * for details.
 	 */
 
+	if (!lp_acl_flag_inherited_canonicalization(SNUM(fsp->conn))) {
+		psd->type &= ~SEC_DESC_DACL_AUTO_INHERIT_REQ;
+		return;
+	}
+
 	if ((psd->type & (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ))
 			== (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ)) {
 		set_auto_inherited = true;