[cifs-protocol] conditional deny aces not working over SMB - TrackingID#2310190040000571
Obaid Farooqi
obaidf at microsoft.com
Wed Oct 25 17:06:41 UTC 2023
Hi Douglas:
My conversation with product group revealed that the claims based authorization was developed to protect files, SMB or otherwise.
How did you set up you test environment?
Here is some instructions on setting up a test environment:
https://learn.microsoft.com/en-us/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Obaid Farooqi
Sent: Thursday, October 19, 2023 11:45 AM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>; Douglas Bagnall <douglas.bagnall at catalyst.net.nz>; cifs-protocol at lists.samba.org
Cc: Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] conditional deny aces not working over SMB - TrackingID#2310190040000571
Hi Douglas:
I'll look into this and will be in touch as soon as I have an answer.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Jeff McCashland (He/him) <jeffm at microsoft.com>
Sent: Wednesday, October 18, 2023 8:45 PM
To: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>; cifs-protocol at lists.samba.org
Cc: Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] conditional deny aces not working over SMB - TrackingID#2310190040000571
[DocHelp to BCC, support on CC, SR ID on Subject]
Hi Douglas,
Thank you for your email. We have created SR 2310190040000571 to track this issue. One of our engineers will respond soon.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
-----Original Message-----
From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Sent: Wednesday, October 18, 2023 3:46 PM
To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
Subject: [EXTERNAL] conditional deny aces not working over SMB
hi Dochelp,
Using SMB2 and Windows 2022, if I set the DACL of a file to
D:(XD;;FA;;;WD;(Member_of SID(WD)))(A;;FA;;;WD)
I can still access the file (also over SMB2).
I didn't expect that, as the first ACE should deny access when the condition "Member_of SID(WD)" is true, which is essentially the same condition as the allow ACE that follows it.
I haven't been able to find any cases of conditional deny ACEs working for file access. I see the same behaviour locally on the machine.
I'm guessing this is out of scope for [MS-DTYP], which describes the ACE types but does not say where and how they are used. Is the expected meaning of conditional ACEs for file access described anywhere?
From what I can see, conditional ACEs in file system is called Dynamic Access Control, and people wrote everything that is known about it in 2012.
I believe SMB defers the authorization decisions to the underlying file system, and this uses something other than the user space AuthZ API which is used for handling AD claims (I think). Most of what is written about conditional ACEs refers to that API, or directly to claims.
Because file system behaviour is not considered part of a protocol, ACLs on files can be interpreted however the server prefers. Is that roughly the position? On the slight chance it isn't, I would like to know if the behaviour of conditional ACEs over SMB is documented.
cheers,
Douglas
More information about the cifs-protocol
mailing list