From: Ralph Boehme Date: Mon, 8 Jun 2026 13:49:57 +0000 (+0200) Subject: smbtorture: split smb2.acls into acls-with-sysacl and acls-ignore-sysacl X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8d5674bccfdfecde34ea7a1b1fd384b0cff60d82;p=thirdparty%2Fsamba.git smbtorture: split smb2.acls into acls-with-sysacl and acls-ignore-sysacl The smb2.acls test suite contains tests (OWNER-RIGHTS-DENY1 and DENY1) that use non-canonical ACLs (containing out-of-order DENY ACEs). Under standard POSIX draft/system ACL mapping, such non-canonical ACLs cannot be represented on the underlying file system, hence the current code is supposed to fail attempts to set such ACLs in the Samba POSIX ACL mapping backend. However, as the current code wrongly silently swallows the error returned from the low level mapping function unpack_canon_ace() and a subsequent commit is going to fix this, the tests mentioned above will start failing. As these non-canonical ACL are in fact valid ACLs and eg Windows allows setting them and they only fail when Samba uses POSIX ACL backend, adjust the tests to run against a share that uses acl_xattr without POSIX ACLs: - smb2.acls-with-sysacl: Runs tests that are compatible with system POSIX ACL mapping, executed against the standard 'tmp' share. - smb2.acls-ignore-sysacl: Contains tests that require Windows-like ACL handling (like non-canonical ACE ordering) which are executed against the 'acl_xattr_ign_sysacl_windows' share (where system ACLs are ignored). BUG: https://bugzilla.samba.org/show_bug.cgi?id=16097 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- diff --git a/selftest/flapping b/selftest/flapping index 8c3f9e8969a..ffd83b58c32 100644 --- a/selftest/flapping +++ b/selftest/flapping @@ -19,8 +19,8 @@ ^samba3.rpc.spoolss.printer.addprinterex.print_job_enum # fails on some hosts due to bug 10930 ^samba3.rpc.lsa.privileges.lsa.Privileges\(nt4_dc\) # fails sometimes on sn-devel ^samba4.blackbox.gentest # is flakey due to timing -^samba3.smb2.acls.INHERITANCE\(ad_dc\) # Seems to flap - succeeds on sn-devel, fails on Fedora 16 -^samba3.smb2.acls.DYNAMIC\(ad_dc\) # Seems to flap - succeeds on sn-devel, fails on Fedora 16 +^samba3.smb2.acls-with-sysacl.INHERITANCE\(ad_dc\) # Seems to flap - succeeds on sn-devel, fails on Fedora 16 +^samba3.smb2.acls-with-sysacl.DYNAMIC\(ad_dc\) # Seems to flap - succeeds on sn-devel, fails on Fedora 16 ^samba3.raw.acls.dynamic\(ad_dc\) # Seems to flap - succeeds on sn-devel, fails on Fedora 16 ^samba3.raw.acls.inheritance\(ad_dc\) # Seems to flap - succeeds on sn-devel, fails on Fedora 16 ^samba3.raw.samba3checkfsp.samba3checkfsp\(ad_dc_smb1\) # Seems to flap - succeeds on sn-devel, fails on Fedora 16 diff --git a/selftest/knownfail b/selftest/knownfail index ab2d79d7114..f68b5b40e29 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -146,10 +146,10 @@ ^samba4.smb2.create.*.impersonation ^samba4.smb2.create.quota-fake-file\(ad_dc_ntvfs\) # not supported by the NTVFS ^samba4.smb2.create.dosattr_tmp_dir\(ad_dc_ntvfs\) -^samba4.smb2.acls.*.generic -^samba4.smb2.acls.*.inheritflags -^samba4.smb2.acls.*.owner -^samba4.smb2.acls.*.ACCESSBASED +^samba4.smb2.acls-with-sysacl.*.generic +^samba4.smb2.acls-with-sysacl.*.inheritflags +^samba4.smb2.acls-with-sysacl.*.owner +^samba4.smb2.acls-with-sysacl.*.ACCESSBASED ^samba4.ldap.dirsync.python.ad_dc_ntvfs..__main__.SimpleDirsyncTests.test_dirsync_deleted_items_OBJECT_SECURITY #^samba4.ldap.dirsync.python.ad_dc_ntvfs..__main__.ExtendedDirsyncTests.* ^samba4.libsmbclient.opendir.(NT1|SMB3).opendir # This requires netbios browsing diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index ff1b993d2dc..44f91203396 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -143,6 +143,9 @@ for t in fileserver_tests: fileserver_env = "fileserver_smb1" if "SMB2" in t: fileserver_env = "fileserver" + if t == "OWNER-RIGHTS": + plantestsuite("samba3.smbtorture_s3.plain.%s" % t, fileserver_env, [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//$SERVER_IP/acl_xattr_ign_sysacl_windows', '$USERNAME', '$PASSWORD', smbtorture3, "", "-l $LOCAL_PATH"]) + continue plantestsuite("samba3.smbtorture_s3.plain.%s" % t, fileserver_env, [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//$SERVER_IP/tmp', '$USERNAME', '$PASSWORD', smbtorture3, "", "-l $LOCAL_PATH"]) plantestsuite("samba3.smbtorture_s3.crypt_client.%s" % t, "nt4_dc_smb1", [os.path.join(samba3srcdir, "script/tests/test_smbtorture_s3.sh"), t, '//$SERVER_IP/tmp', '$USERNAME', '$PASSWORD', smbtorture3, "-e", "-l $LOCAL_PATH"]) if t == "TORTURE": @@ -1384,6 +1387,10 @@ for t in tests: plansmbtorture4testsuite(t, "ad_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD') elif t == "smb2.fileid": plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/vfs_fruit_xattr -U$USERNAME%$PASSWORD') + elif t == "smb2.acls-with-sysacl": + plansmbtorture4testsuite(t, "fileserver", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD') + elif t == "smb2.acls-ignore-sysacl": + plansmbtorture4testsuite(t, "fileserver", '//$SERVER_IP/acl_xattr_ign_sysacl_windows -U$USERNAME%$PASSWORD') elif t == "smb2.acls_non_canonical": plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/acls_non_canonical -U$USERNAME%$PASSWORD') elif t == "smb2.async_dosmode": diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c index 65b4b0fe363..39abdbc90e7 100644 --- a/source4/torture/smb2/acls.c +++ b/source4/torture/smb2/acls.c @@ -3295,9 +3295,9 @@ done: /* basic testing of SMB2 ACLs */ -struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx) +struct torture_suite *torture_smb2_acls_with_sysacl_init(TALLOC_CTX *ctx) { - struct torture_suite *suite = torture_suite_create(ctx, "acls"); + struct torture_suite *suite = torture_suite_create(ctx, "acls-with-sysacl"); torture_suite_add_1smb2_test(suite, "CREATOR", test_creator_sid); torture_suite_add_1smb2_test(suite, "GENERIC", test_generic_bits); @@ -3314,15 +3314,28 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx) torture_suite_add_1smb2_test(suite, "OWNER-RIGHTS", test_owner_rights); torture_suite_add_1smb2_test(suite, "OWNER-RIGHTS-DENY", test_owner_rights_deny); + torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED", + test_mxac_not_granted); + torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file); + + suite->description = talloc_strdup(suite, "SMB2-ACLS-WITH-SYSACL tests"); + + return suite; +} + +/* + basic testing of SMB2 ACLs +*/ +struct torture_suite *torture_smb2_acls_ignore_sysacl_init(TALLOC_CTX *ctx) +{ + struct torture_suite *suite = torture_suite_create(ctx, "acls-ignore-sysacl"); + torture_suite_add_1smb2_test(suite, "OWNER-RIGHTS-DENY1", test_owner_rights_deny1); torture_suite_add_1smb2_test(suite, "DENY1", test_deny1); - torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED", - test_mxac_not_granted); - torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file); - suite->description = talloc_strdup(suite, "SMB2-ACLS tests"); + suite->description = talloc_strdup(suite, "SMB2-ACLS-IGNORE-SYSACL tests"); return suite; } diff --git a/source4/torture/smb2/smb2.c b/source4/torture/smb2/smb2.c index cf426b2252a..5b444c8c03a 100644 --- a/source4/torture/smb2/smb2.c +++ b/source4/torture/smb2/smb2.c @@ -157,7 +157,8 @@ NTSTATUS torture_smb2_init(TALLOC_CTX *ctx) torture_suite_add_suite(suite, torture_smb2_create_init(suite)); torture_suite_add_suite(suite, torture_smb2_twrp_init(suite)); torture_suite_add_suite(suite, torture_smb2_fileid_init(suite)); - torture_suite_add_suite(suite, torture_smb2_acls_init(suite)); + torture_suite_add_suite(suite, torture_smb2_acls_with_sysacl_init(suite)); + torture_suite_add_suite(suite, torture_smb2_acls_ignore_sysacl_init(suite)); torture_suite_add_suite(suite, torture_smb2_acls_non_canonical_init(suite)); torture_suite_add_suite(suite, torture_smb2_notify_init(suite)); torture_suite_add_suite(suite, torture_smb2_notify_inotify_init(suite));