[cifs-protocol] Information needed about security token default ACL
Nadezhda Ivanova
nadezhda.ivanova at postpath.com
Tue Jul 28 17:17:58 MDT 2009
Hi Obaid,
Yes, I think this issue is clear.
Thank you very much for your help!
Regards,
Nadezhda Ivanova
----- Original Message -----
> From: Obaid Farooqi <obaidf at microsoft.com>
> To: Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
> Cc: pfif at tridgell.net <pfif at tridgell.net>, cifs-protocol at samba.org <cifs-protocol at samba.org>
> Sent: Wednesday, July 29, 2009 2:14:06 AM GMT+0200 Europe;Athens
> Subject: RE: Information needed about security token default ACL
> > Hi Nadezhda:
> LOGIN_SID is as described in section 2.4.2.2 of [MS-DTY] which I am
> reproducing here:
>
> LOGON_ID A logon session. The X and Y values for these
> SIDs are different
> S-1-5-5-x-y for each logon session and are recycled when the
> operating system is restarted.
> This SID is in addition to the users permanent SID. The permanent SID
> of user is used for first ACE, System SID 9S-1-5-18) is used for
> second ACE and LOGIN_ID (SID) is used for third ACE in the default
> DACL.
>
> For the conditions to use default DACL, both of the condition should
> be true, so it is an AND.
>
> Does this clarify it for you? Please let me know either way.
>
> Regards,
> Obaid Farooqi
> Sr. Support Escalation Engineer | Microsoft
>
>
> -----Original Message-----
> From: Nadezhda Ivanova [mailto:nadezhda.ivanova at postpath.com]
> Sent: Tuesday, July 28, 2009 8:32 AM
> To: Obaid Farooqi
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: RE: Information needed about security token default ACL
>
> Hi Obaid,
> Thank you for clarifying the Token.DefaultDacl issue, just one more
> question on that to be sure:
> LOGIN_SID: Generic Read | Generic Execute
>
> Is LOGIN_SID the SID of the user that established the session?
>
> About the conditions when default DACL is used for creating the DACL
> in the security descriptor of the object.
> Both conditions must be met in order to use default DACL? It is 1 & 2,
> not 1 | 2?
>
> Regards,
> Nadezhda Ivanova
>
> -----Original Message-----
> From: Obaid Farooqi [mailto:obaidf at microsoft.com]
> Sent: Tuesday, July 28, 2009 12:05 AM
> To: Nadezhda Ivanova
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: RE: Information needed about security token default ACL
>
> Hi Nadezhda:
> I have answers to some of your questions. I am providing the answers
> in a Q&A form as follows. My colleague Edgar is researching your
> questions on Security Descriptor Creation algorithm and will contact
> you with the relevant information as appropriate.
>
> Q. So, am I right to understand that this DACL is used when no
> nTSecurityDescriptor is provided by the incoming LDAP add request, and
> there is no defaultSecurityDescriptor for the objectClass.
>
> A. First, let me clarify that nTSecurityDescriptor is a property of an
> object. The security descriptor that is provided by the caller is
> called CreatorDescriptor.
>
> Looking at the algorithm in section "2.5.2.4 ComputeACL" of [MS-DTYP],
> following are the conditions when default DACL is used for creating
> the DACL in the security descriptor of the object:
> 1. Caller has not provided a security descriptor (CreatorDescriptor)
> 2. The parent object does not have inheritable ACE's
>
> The role of the defaultSecurityDescriptor will be clarified in the
> answer to the question about security Description Creation algorithm.
>
> Q. If so, how is the Token.DefaultDACL constructed and when? Is this
> based on the user's credentials and how?
>
> A. Default DACL is part of user Access Token. Access Token is created
> by Local Security authority when user logs on. The Default DACL is a
> static list of ACE's and is not derived from the credentials. The
> default DACL contains the following ACCESS_ALLOWED_ACE_TYPE ACE's
> SYSTEM: ALL Access (Generic all) (S-1-5-18)
> Owner: ALL Access (Generic all)
> LOGIN_SID: Generic Read | Generic Execute
>
>
> Please let me know if it answers your question. If it yes, I'll
> consider this issue resolved.
>
> Regards,
> Obaid Farooqi
> Sr. Support Escalation Engineer | Microsoft
>
> -----Original Message-----
> From: Nadezhda Ivanova [mailto:nadezhda.ivanova at postpath.com]
> Sent: Friday, July 17, 2009 7:46 AM
> To: Interoperability Documentation Help
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: Information needed about security token default ACL
>
> Hi,
>
> In the course of my work in implementing security descriptor
> inheritance in Directory service of Samba 4, I came across the
> following statement in MS-DTYP, 2.5.2
> "The token also contains an ACL, Token.DefaultDACL, that serves as the
> DACL assigned by default to any objects created by the user. "
>
> So, am I right to understand that this DACL is used when no
> nTSecurityDescriptor is provided by the incoming LDAP add request, and
> there is no defaultSecurityDescriptor for the objectClass.
> If so, how is the Token.DefaultDACL constructed and when? Is this
> based on the user's credentials and how?
>
> In addition, I have a question about the security descriptor creation
> algorithm described in MS-DTYP 2.5.2.3
> One of the arguments of CreateSecurityDescriptor is:
> CreatorDescriptor: Security descriptor for the new object provided by
> the creator of the object. Caller can pass NULL.
>
> Am I right in understanding that this is either the
> nTSecurityDescriptor attribute provided by the user, or, in the lack
> thereof, the defaultSecurityDescriptor of the object class?
>
> Best Regards,
> Nadezhda Ivanova
More information about the cifs-protocol
mailing list