[cifs-protocol] [MS-DTYP] no SDDL for ACCESS_DENIED_CALLBACK_OBJECT_ACE? - TrackingID#2308250010010895

Obaid Farooqi obaidf at microsoft.com
Mon Sep 11 17:49:13 UTC 2023 

Hi Douglas:
Your research is spot on. There is no definition of "Access Denied Object Callback" in code. 

If this doesn't answer your question, please let me know.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Obaid Farooqi 
Sent: Tuesday, August 29, 2023 2:05 PM
To: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>; cifs-protocol at lists.samba.org
Cc: Microsoft Support <supportmail at microsoft.com>
Subject: RE: [MS-DTYP] no SDDL for ACCESS_DENIED_CALLBACK_OBJECT_ACE? - TrackingID#2308250010010895

Hi Douglas:
I'll help you with this issue and will be in touch as soon as I have an answer.

-----Original Message-----
From: Tom Jebo <tomjebo at microsoft.com> 
Sent: Friday, August 25, 2023 12:29 PM
To: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>; cifs-protocol at lists.samba.org
Cc: Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] [MS-DTYP] no SDDL for ACCESS_DENIED_CALLBACK_OBJECT_ACE? - TrackingID#2308250010010895

[dochelp to bcc]
[support mail to cc]

Hi Douglas, 

Thanks for your request regarding MS-DTYP ACCESS_DENIED_CALLBACK_OBJECT_ACE. One of the Open Specifications team members will respond to assist you. In the meantime, we’ve created case 2308250010010895 to track this request. Please leave the case number in the subject when communicating with our team about this request.

Best regards,
Tom Jebo
Microsoft Open Specifications Support

-----Original Message-----
From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz> 
Sent: Thursday, August 24, 2023 5:36 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: [EXTERNAL] [MS-DTYP] no SDDL for ACCESS_DENIED_CALLBACK_OBJECT_ACE?

hi Dochelp,

According to [MS-DTYP], there is no way to express a ACCESS_DENIED_CALLBACK_OBJECT_ACE in SDDL.
I just want to confirm that.

If ACCESS_ALLOWED_CALLBACK_OBJECT_ACE has type "ZA", symmetry would propose "ZD" 
for the denied counterpart, but no.

I have tried mutating a ACCESS_ALLOWED_CALLBACK_OBJECT_ACE to flip the ace type, but I can't get it to encode as SDDL.

So I suppose it is the case that in the places where we transmit security descriptors as SDDL, we just can't transmit these ones.

Douglas

More information about the cifs-protocol mailing list