[cifs-protocol] conditional deny aces not working over SMB - TrackingID#2310190040000571

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Wed Oct 25 21:20:44 UTC 2023 

I have a pcapng file here:

https://www.samba.org/~dbagnall/windows-smb-file-access-denied-callback.pcapng

I'll also note our tests show the conditional deny ACEs do work in other 
settings that relate purely to Kerberos tickets and not to file access.

Douglas

On 26/10/23 09:33, Douglas Bagnall via cifs-protocol wrote:
> hi Obaid,
> 
>> How did you set up you test environment?
> 
> Well, haphazardly, it must be said. I tried various things, none of 
> which made any difference.
> 
> This is on a standalone server -- there is no KDC or user claims. The 
> conditional ACEs refer to facts that are independent of actual claims, 
> or only to resource attribute claims.  They work perfectly with allow 
> aces, and not at all with deny aces.
> 
> I get a 404 at 
> https://learn.microsoft.com/en-us/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-
> -- was something clipped off the end?
> 
> cheers,
> Douglas
> 
> On 26/10/23 06:06, Obaid Farooqi wrote:
>> Hi Douglas:
>> My conversation with product group revealed that the claims based 
>> authorization was developed to protect files, SMB or otherwise.
>> How did you set up you test environment?
>> Here is some instructions on setting up a test environment:
>>
>> https://learn.microsoft.com/en-us/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-
>>
>> Regards,
>> Obaid Farooqi
>> Escalation Engineer | Microsoft
>>
>> -----Original Message-----
>> From: Obaid Farooqi
>> Sent: Thursday, October 19, 2023 11:45 AM
>> To: Jeff McCashland (He/him) <jeffm at microsoft.com>; Douglas Bagnall 
>> <douglas.bagnall at catalyst.net.nz>; cifs-protocol at lists.samba.org
>> Cc: Microsoft Support <supportmail at microsoft.com>
>> Subject: RE: [EXTERNAL] conditional deny aces not working over SMB - 
>> TrackingID#2310190040000571
>>
>> Hi Douglas:
>> I'll look into this and will be in touch as soon as I have an answer.
>>
>> Regards,
>> Obaid Farooqi
>> Escalation Engineer | Microsoft
>>
>> -----Original Message-----
>> From: Jeff McCashland (He/him) <jeffm at microsoft.com>
>> Sent: Wednesday, October 18, 2023 8:45 PM
>> To: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>; 
>> cifs-protocol at lists.samba.org
>> Cc: Microsoft Support <supportmail at microsoft.com>
>> Subject: RE: [EXTERNAL] conditional deny aces not working over SMB - 
>> TrackingID#2310190040000571
>>
>> [DocHelp to BCC, support on CC, SR ID on Subject]
>>
>> Hi Douglas,
>>
>> Thank you for your email. We have created SR 2310190040000571 to track 
>> this issue. One of our engineers will respond soon.
>>
>> Best regards,
>> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
>> Protocol Open Specifications Team
>> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
>> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
>> found here: http://support.microsoft.com/globalenglish | Extension 
>> 1138300
>>
>> -----Original Message-----
>> From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
>> Sent: Wednesday, October 18, 2023 3:46 PM
>> To: cifs-protocol at lists.samba.org; Interoperability Documentation Help 
>> <dochelp at microsoft.com>
>> Subject: [EXTERNAL] conditional deny aces not working over SMB
>>
>> hi Dochelp,
>>
>> Using SMB2 and Windows 2022, if I set the DACL of a file to
>>
>>     D:(XD;;FA;;;WD;(Member_of SID(WD)))(A;;FA;;;WD)
>>
>> I can still access the file (also over SMB2).
>>
>> I didn't expect that, as the first ACE should deny access when the 
>> condition "Member_of SID(WD)" is true, which is essentially the same 
>> condition as the allow ACE that follows it.
>>
>> I haven't been able to find any cases of conditional deny ACEs working 
>> for file access. I see the same behaviour locally on the machine.
>>
>> I'm guessing this is out of scope for [MS-DTYP], which describes the 
>> ACE types but does not say where and how they are used. Is the 
>> expected meaning of conditional ACEs for file access described anywhere?
>>
>>   From what I can see, conditional ACEs in file system is called 
>> Dynamic Access Control, and people wrote everything that is known 
>> about it in 2012.
>>
>> I believe SMB defers the authorization decisions to the underlying 
>> file system, and this uses something other than the user space AuthZ 
>> API which is used for handling AD claims (I think). Most of what is 
>> written about conditional ACEs refers to that API, or directly to claims.
>>
>> Because file system behaviour is not considered part of a protocol, 
>> ACLs on files can be interpreted however the server prefers. Is that 
>> roughly the position? On the slight chance it isn't, I would like to 
>> know if the behaviour of conditional ACEs over SMB is documented.
>>
>> cheers,
>> Douglas
>>
> 
> 
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at lists.samba.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol

More information about the cifs-protocol mailing list