[cifs-protocol] [EXTERNAL] Conditional ACEs in AD - where are they valid? - TrackingID#2305110040008167

[Jeff McCashland (He/him)]

[DocHelp to BCC, support on CC, SR ID on Subject]

Hi Andrew,

Thank you for your question. We have created SR 2305110040008167 to track this issue. One of our engineers will respond soon.

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300


________________________________
From: Andrew Bartlett <abartlet at samba.org>
Sent: Wednesday, May 10, 2023 10:26 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
Subject: [EXTERNAL] Conditional ACEs in AD - where are they valid?

Kia Ora DocHelp,

(again) Per my phone call with Obaid and Tom last week.

We were discussing conditional ACEs in security descriptors, and I was
curious as to where they were allowed, as I see some awesome
possibilities for this technology.

I asked if they are valid in any SD, and the answer is NO, they are not
allowed on SDs on an object.

Therefore, they must be possible in some places and not others, clearly
yes for the SD attributes that control flexible authentication, dynamic
authentication and silos.

So that we can enforce (or not!) the same restrictions, what at the
LDAP level determines if an attribute may contain a conditional ACE in
a security descriptor?

Thanks,

Andrew Bartlett

--
Andrew Bartlett (he/him)       https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C2793234832654fce8b0008db51e044dd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193795899396091%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3ab3gp4tP9xI7U7BZdcEwh%2Ft07gN9cLkmO%2BABnrr2w8%3D&reserved=0<https://samba.org/~abartlet/>
Samba Team Member (since 2001) https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C2793234832654fce8b0008db51e044dd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193795899396091%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vAXuz220yVDfiLOaZRSfv6M4qSEhSQDF71IOY5EiMtM%3D&reserved=0<https://samba.org/>
Samba Team Lead                https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cjeffm%40microsoft.com%7C2793234832654fce8b0008db51e044dd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193795899396091%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0KTNB35IJ%2Ffwd3q15KRVIDLDInszv%2BJJ6bJKVX1aIEc%3D&reserved=0<https://catalyst.net.nz/services/samba>
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cjeffm%40microsoft.com%7C2793234832654fce8b0008db51e044dd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638193795899396091%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0KTNB35IJ%2Ffwd3q15KRVIDLDInszv%2BJJ6bJKVX1aIEc%3D&reserved=0<https://catalyst.net.nz/services/samba>

Catalyst IT - Expert Open Source Solutions



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20230511/8b3a5216/attachment.htm>