[cifs-protocol] [EXTERNAL] Re: conditional deny aces not working over SMB - TrackingID#2310190040000571

Thu Nov 9 05:30:27 UTC 2023

It works, it is just that our mail clients don't expect a link that
ends with a -, and assume that is punctuation. 
Adding that back makes it work. 
Andrew
On Thu, 2023-11-09 at 05:12 +0000, Obaid Farooqi via cifs-protocol
wrote:
> Hi Douglas:I assume the following link is working. If you have any
> other questions, please let me know. 
> Regards,Obaid FarooqiEscalation Engineer | Microsoft
> -----Original Message-----From: Obaid Farooqi Sent: Wednesday,
> October 25, 2023 5:03 PMTo: Douglas Bagnall <
> douglas.bagnall at catalyst.net.nz>; cifs-protocol at lists.samba.org
> Cc: Microsoft Support <supportmail at microsoft.com>Subject: RE:
> [EXTERNAL] Re: conditional deny aces not working over SMB -
> TrackingID#2310190040000571
> Hi Douglas:See if this works for you:
> https://learn.microsoft.com/en-us/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-
> -----Original Message-----From: Douglas Bagnall <
> douglas.bagnall at catalyst.net.nz>Sent: Wednesday, October 25, 2023
> 3:34 PMTo: Obaid Farooqi <obaidf at microsoft.com>; 
> cifs-protocol at lists.samba.org
> Cc: Microsoft Support <supportmail at microsoft.com>Subject: [EXTERNAL]
> Re: conditional deny aces not working over SMB -
> TrackingID#2310190040000571
> hi Obaid,
> > How did you set up you test environment?
> 
> Well, haphazardly, it must be said. I tried various things, none of
> which made any difference.
> This is on a standalone server -- there is no KDC or user claims. The
> conditional ACEs refer to facts that are independent of actual
> claims, or only to resource attribute claims.  They work perfectly
> with allow aces, and not at all with deny aces.
> I get a 404 at
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fsolution-guides%2Fdeploy-a-central-access-policy--demonstration-steps-&data=05%7C01%7Cobaidf%40microsoft.com%7C0bd1e9e1373a4a3f7ec808dbd599b868%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638338628439783882%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LTnIUgi8nl7cCRbwTdyWSBtX5CS39Uk8P%2FlPVNR%2BLtM%3D&reserved=0
> -- was something clipped off the end?
> cheers,Douglas
> On 26/10/23 06:06, Obaid Farooqi wrote:
> > Hi Douglas:My conversation with product group revealed that the
> > claims based authorization was developed to protect files, SMB or
> > otherwise.How did you set up you test environment?Here is some
> > instructions on setting up a test environment:
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flear
> > n.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fsolution-
> > guides%2Fdeploy-a-central-access-policy--demonstration-steps-
> > &data=05%7C01%7Cobaidf%40microsoft.com%7C0bd1e9e1373a4a3f7ec808dbd5
> > 99b868%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638338628439791
> > 154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
> > BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=DxCSvjNw1pNZHxqFc
> > 7O6Qo%2F%2BxB%2BTB2fMBk%2Fc445PtZA%3D&reserved=0
> > Regards,Obaid FarooqiEscalation Engineer | Microsoft
> > -----Original Message-----From: Obaid FarooqiSent: Thursday,
> > October 19, 2023 11:45 AMTo: Jeff McCashland (He/him) <
> > jeffm at microsoft.com>; Douglas Bagnall <
> > douglas.bagnall at catalyst.net.nz>; cifs-protocol at lists.samba.org
> > Cc: Microsoft Support <supportmail at microsoft.com>Subject: RE:
> > [EXTERNAL] conditional deny aces not working over SMB
> > -TrackingID#2310190040000571
> > Hi Douglas:I'll look into this and will be in touch as soon as I
> > have an answer.
> > Regards,Obaid FarooqiEscalation Engineer | Microsoft
> > -----Original Message-----From: Jeff McCashland (He/him) <
> > jeffm at microsoft.com>Sent: Wednesday, October 18, 2023 8:45 PMTo:
> > Douglas Bagnall <douglas.bagnall at catalyst.net.nz>;
> > cifs-protocol at lists.samba.org
> > Cc: Microsoft Support <supportmail at microsoft.com>Subject: RE:
> > [EXTERNAL] conditional deny aces not working over SMB
> > -TrackingID#2310190040000571
> > [DocHelp to BCC, support on CC, SR ID on Subject]
> > Hi Douglas,
> > Thank you for your email. We have created SR 2310190040000571 to
> > track this issue. One of our engineers will respond soon.
> > Best regards,Jeff McCashland (He/him) | Senior Escalation Engineer
> > | Microsoft Protocol Open Specifications TeamPhone: +1 (425) 703-
> > 8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time
> > (US and Canada) Local country phone number found here:
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> > rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cobaidf%40microsoft.
> > com%7C0bd1e9e1373a4a3f7ec808dbd599b868%7C72f988bf86f141af91ab2d7cd0
> > 11db47%7C1%7C0%7C638338628439798155%7CUnknown%7CTWFpbGZsb3d8eyJWIjo
> > iMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%
> > 7C%7C%7C&sdata=Y8ky%2Bi1gCFLBh8TzWSaTtjtGoY7wS28J%2BSFRojeiA4Q%3D&r
> > eserved=0 | Extension 1138300
> > -----Original Message-----From: Douglas Bagnall <
> > douglas.bagnall at catalyst.net.nz>Sent: Wednesday, October 18, 2023
> > 3:46 PMTo: cifs-protocol at lists.samba.org; Interoperability
> > Documentation Help <dochelp at microsoft.com>Subject: [EXTERNAL]
> > conditional deny aces not working over SMB
> > hi Dochelp,
> > Using SMB2 and Windows 2022, if I set the DACL of a file to
> >     D:(XD;;FA;;;WD;(Member_of SID(WD)))(A;;FA;;;WD)
> > I can still access the file (also over SMB2).
> > I didn't expect that, as the first ACE should deny access when the
> > condition "Member_of SID(WD)" is true, which is essentially the
> > same condition as the allow ACE that follows it.
> > I haven't been able to find any cases of conditional deny ACEs
> > working for file access. I see the same behaviour locally on the
> > machine.
> > I'm guessing this is out of scope for [MS-DTYP], which describes
> > the ACE types but does not say where and how they are used. Is the
> > expected meaning of conditional ACEs for file access described
> > anywhere?
> >   From what I can see, conditional ACEs in file system is called
> > Dynamic Access Control, and people wrote everything that is known
> > about it in 2012.
> > I believe SMB defers the authorization decisions to the underlying
> > file system, and this uses something other than the user space
> > AuthZ API which is used for handling AD claims (I think). Most of
> > what is written about conditional ACEs refers to that API, or
> > directly to claims.
> > Because file system behaviour is not considered part of a protocol,
> > ACLs on files can be interpreted however the server prefers. Is
> > that roughly the position? On the slight chance it isn't, I would
> > like to know if the behaviour of conditional ACEs over SMB is
> > documented.
> > cheers,Douglas
> 
> _______________________________________________cifs-protocol mailing 
> listcifs-protocol at lists.samba.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead                https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20231109/4a5883d4/attachment.htm>