[cifs-protocol] FW: Group Policy questions
Matthieu Patou
mat+Informatique.Samba at matws.net
Tue Dec 22 14:56:23 MST 2009
On 23/12/2009 00:47, Hongwei Sun wrote:
> Matthieu,
>
> Your summary is a good recap of what we have done on this topic. I have one clarification for the point below.
>
> * All ACE for allowed object are wipped out when "translating" AD ACL to File ACL
>
> When translating a ACL for DS object to a ACL for SYSVOL file object, the ACEs with types of ACCESS_ALLOWED_OBJECT_ACE_TYPE, ACCESS_DENIED_OBJECT_ACE_TYPE and SYSTEM_AUDIT_OBJECT_ACE_TYPE are not really deleted from the ACL. Instead, for such a ACE, access mask in AceHeader is assigned to zero.
>
Yeah I meant that when "translating" an AD ACL to a file ACL we do not
care about it, for all those ACCESS_ALLOWED_OBJECT_ACE_TYPE in the AD no
corresponding ACE in created.
> Sebastian will follow up with you on your question regarding documenting the logic for ACE OI and CI flags.
>
> Thanks!
>
> Hongwei
>
> -----Original Message-----
> From: Matthieu Patou [mailto:mat+Informatique.Samba at matws.net]
> Sent: Friday, December 18, 2009 4:01 PM
> To: Sebastian Canevari
> Cc: Hongwei Sun; Interoperability Documentation Help; cifs-protocol at samba.org
> Subject: Re: FW: [cifs-protocol] Group Policy questions
>
> Hello Sebastian and Hongwei,
>
> Sorry for being silent on this.
>
> So if I try to sum up we agreed that:
>
> * in order to allow modification of ACL on files sdeffectiverights must
> have the flag DACL_SECURITY_INFORMATION set, and the ACL must have the
> SE_DACL_PROTECTED set in the control flags.
> * in order to avoid a warning message ACL of Policy object must be
> synchronized with ACL in the files following this logic for the translation:
>
>
> The specific rights in access mask for Active Directory object
> are defined in 5.1.3.2 of MS-ADTS as follows.
>
> #define RIGHT_DS_CREATE_CHILD 0x00000001
> #define RIGHT_DS_DELETE_CHILD 0x00000002
> #define RIGHT_DS_LIST_CONTENTS 0x00000004
> #define ACTRL_DS_SELF 0x00000008
> #define RIGHT_DS_READ_PROPERTY 0x00000010
> #define RIGHT_DS_WRITE_PROPERTY 0x00000020
> #define RIGHT_DS_DELETE_TREE 0x00000040
> #define RIGHT_DS_LIST_OBJECT 0x00000080
> #define RIGHT_DS_CONTROL_ACCESS 0x00000100
>
> The specific rights in access mask for a file or directory object
> are defined as
> (http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx )
>
> #define FILE_READ_DATA ( 0x0001 )
> #define FILE_LIST_DIRECTORY ( 0x0001 )
> #define FILE_WRITE_DATA ( 0x0002 )
> #define FILE_ADD_FILE ( 0x0002 )
> #define FILE_APPEND_DATA ( 0x0004 )
> #define FILE_ADD_SUBDIRECTORY ( 0x0004 )
> #define FILE_CREATE_PIPE_INSTANCE ( 0x0004 )
> #define FILE_READ_EA ( 0x0008 )
> #define FILE_WRITE_EA ( 0x0010 )
> #define FILE_EXECUTE ( 0x0020 )
> #define FILE_TRAVERSE ( 0x0020 )
> #define FILE_DELETE_CHILD ( 0x0040 )
> #define FILE_READ_ATTRIBUTES ( 0x0080 )
> #define FILE_WRITE_ATTRIBUTES ( 0x0100 )
>
> The generic access rights that are common to all objects are
>
> #define DELETE (0x00010000L)
> #define READ_CONTROL (0x00020000L)
> #define WRITE_DAC (0x00040000L)
> #define WRITE_OWNER (0x00080000L)
> #define SYNCHRONIZE (0x00100000L)
> #define STANDARD_RIGHTS_ALL (0x001F0000L)
>
>
> The following logic is used by GPMC to convert a access mask for
> DS object to a access mask for SYSVOL.
>
> DSAccessMask as Input;
> SYSVOLAccessMask as Output;
> SYSVOLAccessMask = DSAccessMask;
> SYSVOLAccessMask&= STANDARD_RIGHTS_ALL ;
>
> if ((DSAccessMask& RIGHT_DS_READ_PROPERTY) AND
> (DSAccessMask& RIGHT_DS_LIST_CONTENTS))
> SYSVOLAccessMask |= (SYNCHRONIZE | FILE_LIST_DIRECTORY |
> FILE_READ_ATTRIBUTES | FILE_READ_EA |
> FILE_READ_DATA | FILE_EXECUTE);
>
> if (DSAccessMask& RIGHT_DS_WRITE_PROPERTY)
> SYSVOLAccessMask |= (SYNCHRONIZE | FILE_WRITE_DATA |
> FILE_APPEND_DATA | FILE_WRITE_EA |
> FILE_WRITE_ATTRIBUTES | FILE_ADD_FILE |
> FILE_ADD_SUBDIRECTORY);
>
>
> if (DSAccessMask& RIGHT_DS_CREATE_CHILD)
> SYSVOLAccessMask |= (FILE_ADD_SUBDIRECTORY |
> FILE_ADD_FILE);
>
>
> if (DSAccessMask& RIGHT_DS_DELETE_CHILD)
> SYSVOLAccessMask |= FILE_DELETE_CHILD;
>
>
> * All ACE for allowed object are wipped out when "translating" AD ACL to
> File ACL
> * For the following ACE OI and CI flags are always set in the resulting
> file ACE:
>
> ACCESS_ALLOWED_ACE_TYPE
> ACCESS_DENIED_ACE_TYPE
> SYSTEM_AUDIT_ACE_TYPE
>
>
>
> Am I right ?
>
> For the part that are "hardcoded" like this will it change any time soon
> ? Also do you plan to document this in any kind of document ? if so
> which and when ?
>
>
>
> Regards.
> Matthieu.
>
>
More information about the cifs-protocol
mailing list