<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40"
xmlns:ns0="http://schemas.microsoft.com/office/2004/12/omml">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="Street"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="City"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="address"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="country-region"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--a:link
{mso-style-priority:99;}
span.MSOHYPERLINK
{mso-style-priority:99;}
a:visited
{mso-style-priority:99;}
span.MSOHYPERLINKFOLLOWED
{mso-style-priority:99;}
p
{mso-style-priority:99;}
p.DEFAULT
{mso-style-priority:99;}
li.DEFAULT
{mso-style-priority:99;}
div.DEFAULT
{mso-style-priority:99;}
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
p.default, li.default, div.default
{margin:0in;
margin-bottom:.0001pt;
text-autospace:none;
font-size:12.0pt;
font-family:Verdana;
color:black;}
span.EmailStyle19
{mso-style-type:personal;
font-family:Arial;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:Calibri;
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:Calibri;
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:-1270745994;
mso-list-type:hybrid;
mso-list-template-ids:-728253145 -1 -1 -1 -1 -1 -1 -1 -1 -1;}
@list l0:level1
{mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level2
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level3
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level4
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level5
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level6
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level7
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level8
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level9
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1
{mso-list-id:-858251549;
mso-list-type:hybrid;
mso-list-template-ids:-956588191 -1 -1 -1 -1 -1 -1 -1 -1 -1;}
@list l1:level1
{mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level2
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level3
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level4
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level5
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level6
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level7
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level8
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level9
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2
{mso-list-id:1860509040;
mso-list-type:hybrid;
mso-list-template-ids:1104515017 -1 -1 -1 -1 -1 -1 -1 -1 -1;}
@list l2:level1
{mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level2
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level3
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level4
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level5
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level6
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level7
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level8
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level9
{mso-level-start-at:0;
mso-level-text:"";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Hi Obaid,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I was wandering if there is any progress
on this issue? <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Nadezhda Ivanova<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> Obaid Farooqi
[mailto:obaidf@microsoft.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Wednesday, July 15, 2009
7:55 PM<br>
<b><span style='font-weight:bold'>To:</span></b> Nadezhda Ivanova<br>
<b><span style='font-weight:bold'>Cc:</span></b> pfif@tridgell.net;
cifs-protocol@samba.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: Help regarding the
security descriptor creation algorithms</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Hi Nadezhda:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Just an update. I am
still working on your issue. I’ll update you as soon as I have something
concrete.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Obaid Farooqi<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Sr. Support
Escalation Engineer | Microsoft<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p> </o:p></span></font></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> Obaid Farooqi <br>
<b><span style='font-weight:bold'>Sent:</span></b> Friday, July 10, 2009 10:47
AM<br>
<b><span style='font-weight:bold'>To:</span></b> 'Nadezhda Ivanova'<br>
<b><span style='font-weight:bold'>Cc:</span></b> pfif@tridgell.net;
cifs-protocol@samba.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: Help regarding the
security descriptor creation algorithms<o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Hi Nadezhda:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>My name is Obaid
Farooqi and I am a member of protocol documentation team. I’ll be helping you
with your question regarding security descriptor creation algorithms.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>I’ll keep you
updated as appropriate with my investigation.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Feel free to contact
me if you have any further question or clarification about this issue.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Obaid Farooqi<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'>Sr. SEE | Microsoft<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;font-family:Calibri;color:#1F497D'><o:p> </o:p></span></font></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> Nadezhda Ivanova
[mailto:nadezhda.ivanova@postpath.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Friday, July 10, 2009 6:09
AM<br>
<b><span style='font-weight:bold'>To:</span></b> Interoperability Documentation
Help<br>
<b><span style='font-weight:bold'>Cc:</span></b> pfif@tridgell.net;
cifs-protocol@samba.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> Help regarding the
security descriptor creation algorithms<o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Hi,<o:p></o:p></span></font></p>
<p class=default><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;font-family:"Times New Roman"'>I have been working on
implementing correct nTSecurityDeascriptor creation in the directory service of
Samba 4, and have come upon a problem in the <b><span style='font-weight:bold'>ComputeInheritedACLfromParent
</span></b>subroutine described in MS-DTYP 2.5.2.6. The way the algorithm
is described, the purpose of this algorithm is to determine which ACE’s from an
object’s parent are to be inherited by the new object actively, and which are
to be inherited only. The <b><span style='font-weight:bold'>ComputeInheritedACLfromParent
</span></b>as described, walks the parent ACL twice. The first time it
determines the active inherited ACE’s, the second time the ones that are
inherited but inactive. <o:p></o:p></span></font></p>
<p class=default><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;font-family:"Times New Roman"'>I have been testing our
implementation with the CN=Schema partition, as the attributes and objects by
default are not given a security descriptor during creation, and the
defaultSecurityDescriptor of attribute-Schema is empty DACL and SACL.<o:p></o:p></span></font></p>
<p class=default><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;font-family:"Times New Roman"'>So, they inherit all
their DACL ACE’s from their parent, CN=Schema. <o:p></o:p></span></font></p>
<p class=default><font size=2 color=black face=Verdana><span style='font-size:
10.0pt'><o:p> </o:p></span></font></p>
<p class=default><font size=2 color=black face=Verdana><span style='font-size:
10.0pt'>In a Win2008R2, CN=Schema has three inheritable DACL ACE’s: <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;CI;RPLCLORC;;;AU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><b><font size=3 face="Times New Roman"><span
style='font-size:12.0pt;font-weight:bold'>ComputeInheritedACLfromParent has the
following arguments:</span></font></b><o:p></o:p></p>
<p class=MsoNormal style='margin-left:0in;text-indent:0in;mso-list:l2 level1 lfo2;
text-autospace:none'><![if !supportLists]><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><span
style='mso-list:Ignore'><font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]><font color=black><span
style='color:black'></span> <i><span style='font-style:italic'>ACL</span></i>:
<b><span style='font-weight:bold'>ACL </span></b>that contains the parent's
ACEs from which to compute the inherited <b><span style='font-weight:bold'>ACL</span></b>.
<o:p></o:p></font></p>
<p class=MsoNormal style='margin-left:0in;text-indent:0in;mso-list:l2 level1 lfo2;
text-autospace:none'><![if !supportLists]><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><span
style='mso-list:Ignore'><font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]><font color=black><span
style='color:black'></span> <i><span style='font-style:italic'>IsContainerObject</span></i>:
TRUE if the object is a container, FALSE otherwise. <o:p></o:p></font></p>
<p class=MsoNormal style='margin-left:0in;text-indent:0in;mso-list:l2 level1 lfo2;
text-autospace:none'><![if !supportLists]><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><span
style='mso-list:Ignore'><font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]><font color=black><span
style='color:black'></span> <i><span style='font-style:italic'>ObjectTypes</span></i>:
Array of GUIDs for the object type being created. <o:p></o:p></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>So if we invoke the <b><span style='font-weight:bold'>ComputeInheritedACLfromParent
</span></b>with the above DACL,and isConatinerObject = true (According to
MS-ADTS 7.1.3, true is always the value), the first walk of the input <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="Courier New"><span style='font-size:8.0pt;font-family:"Courier New";
color:black'><o:p> </o:p></span></font></p>
<p class=default><font size=3 color=black face=Arial><span style='font-size:
12.0pt;font-family:Arial'>Initialize ExplicitACL to Empty ACL <o:p></o:p></span></font></p>
<p class=default><font size=3 color=black face=Arial><span style='font-size:
12.0pt;font-family:Arial'>FOR each ACE in ACL DO <o:p></o:p></span></font></p>
<p class=default style='text-indent:.5in'><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'>IF ACE.Flags contains INHERIT_ONLY <o:p></o:p></span></font></p>
<p class=default style='text-indent:.5in'><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'>THEN <o:p></o:p></span></font></p>
<p class=default style='margin-left:99.0pt;text-indent:-.25in;mso-list:l1 level2 lfo4'><![if !supportLists]><font
size=3 color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'><span
style='mso-list:Ignore'><font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]><font face=Arial><span
style='font-family:Arial'>CONTINUE <o:p></o:p></span></font></p>
<p class=default style='text-indent:.5in'><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'>ENDIF <o:p></o:p></span></font></p>
<p class=default><font size=3 color=black face=Arial><span style='font-size:
12.0pt;font-family:Arial'>
<o:p></o:p></span></font></p>
<p class=default style='text-indent:.5in'><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'>IF(((ACE.Flags contains
CONTAINER_INHERIT) AND <o:p></o:p></span></font></p>
<p class=default style='margin-left:99.0pt;text-indent:-.25in;mso-list:l1 level2 lfo4'><![if !supportLists]><font
size=3 color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'><span
style='mso-list:Ignore'><font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]><font face=Arial><span
style='font-family:Arial'>(IsContainerObject = TRUE))OR <o:p></o:p></span></font></p>
<p class=default style='margin-left:0in;text-indent:0in;mso-list:l1 level4 lfo4'><![if !supportLists]><font
size=3 color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'><span
style='mso-list:Ignore'><font size=1 face="Times New Roman"><span
style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]><font face=Arial><span
style='font-family:Arial'> ((ACE.Flags
contains OBJECT_INHERIT) AND (IsContainerObject = FALSE))) <o:p></o:p></span></font></p>
<p class=default style='text-indent:.5in'><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'>THEN <o:p></o:p></span></font></p>
<p class=default style='margin-left:.5in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>CASE
ACE.Type OF <o:p></o:p></span></font></p>
<p class=default style='margin-left:1.0in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>ALLOW: <o:p></o:p></span></font></p>
<p class=default style='margin-left:1.0in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>DENY: <o:p></o:p></span></font></p>
<p class=default style='margin-left:1.5in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>Set
NewACE to ACE <o:p></o:p></span></font></p>
<p class=default style='margin-left:1.5in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>Set
NewACE.Flags to INHERITED <o:p></o:p></span></font></p>
<p class=default style='margin-left:1.5in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>Append
NewACE to ExplicitACL <o:p></o:p></span></font></p>
<p class=default style='margin-left:1.0in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>OBJECT_ALLOW:
<o:p></o:p></span></font></p>
<p class=default style='margin-left:1.0in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>OBJECT_DENY:
<o:p></o:p></span></font></p>
<p class=default style='margin-left:1.5in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>IF
(ObjectTypes contains ACE.ObjectGUID) THEN <o:p></o:p></span></font></p>
<p class=default style='margin-left:2.0in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>Set
NewACE to ACE <o:p></o:p></span></font></p>
<p class=default style='margin-left:2.0in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>Set
NewACE.Flags to INHERITED <o:p></o:p></span></font></p>
<p class=default style='margin-left:2.0in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>Append
NewACE to ExplicitACL <o:p></o:p></span></font></p>
<p class=default style='margin-left:1.5in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>ENDIF <o:p></o:p></span></font></p>
<p class=default style='margin-left:.5in;text-indent:.5in'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial'>ENDCASE
<o:p></o:p></span></font></p>
<p class=default style='text-indent:.5in'><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial'>ENDIF <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 face=Arial><span
style='font-size:12.0pt;font-family:Arial'>END FOR<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1
face="Times New Roman"><span style='font-size:8.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>Will give:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>Which is as
expected, as this is the DACL of all attributes and classes in Win 2008.<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>However, the
algorithm then walks the input a second time:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="Courier New"><span style='font-size:8.0pt;font-family:"Courier New";
color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face=Arial><span style='font-size:12.0pt;font-family:Arial;color:black'>Initialize
InheritableACL to Empty ACL <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face=Arial><span style='font-size:12.0pt;font-family:Arial;color:black'>IF
(IsContainerObject = TRUE) THEN //<b><i><span style='font-weight:bold;
font-style:italic'>In our case this is always true<o:p></o:p></span></i></b></span></font></p>
<p class=MsoNormal style='text-indent:.5in;text-autospace:none'><font size=3
color=black face=Arial><span style='font-size:12.0pt;font-family:Arial;
color:black'>FOR each ACE in ACL DO <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>IF ACE.Flags contains NO_PROPAGATE THEN
//This flag is not set<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>CONTINUE <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>ENDIF <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face=Arial><span style='font-size:12.0pt;font-family:Arial;color:black'>
<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>IF((ACE.Flags contains CONTAINER_INHERIT) OR <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>(ACE.Flags contains OBJECT_INHERIT)) <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>THEN <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>Set NewACE to ACE <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>Add INHERITED to NewACE.Flags <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>Add INHERIT_ONLY to NewACE.Flags <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>Append NewACE to InheritableACL <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in;text-indent:.5in;text-autospace:
none'><font size=3 color=black face=Arial><span style='font-size:12.0pt;
font-family:Arial;color:black'>ENDIF <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:0in;text-indent:0in;mso-list:l0 level1 lfo6;
text-autospace:none'><![if !supportLists]><font size=3 color=black face=Arial><span
style='font-size:12.0pt;font-family:Arial;color:black'><span style='mso-list:
Ignore'><font size=1 face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>
</span></font></span></span></font><![endif]><font color=black face=Arial><span
style='font-family:Arial;color:black'>END FOR <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face=Arial><span style='font-size:12.0pt;font-family:Arial;color:black'>ENDIF</span></font><font
size=1 color=black face="Courier New"><span style='font-size:8.0pt;font-family:
"Courier New";color:black'> <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="Courier New"><span style='font-size:8.0pt;font-family:"Courier New";
color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>This second
loop yields:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>(A;CIIOID;RPLCLORC;;;AU)(A;CIIOID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIIOID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'> <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>Which after:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>RETURN
concatenation of ExplicitACL and InheritableACL <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Makes the final DACL look like: <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>D:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIOID;RPLCLORC;;;AU)(A;CIIOID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIIOID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>So ACE’s are duplicated.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>However, an attribute’s DACL in Win2008 does not have these last three
ACE’s, so I am obviously missing something. How should the flow actually go
with this same example in order to avoid this duplication? Or am I providing
the wrong argument?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Best Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Nadezhda Ivanova<o:p></o:p></span></font></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=543
style='width:407.25pt'>
<tr>
<td colspan=3 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'><img width=110 height=73 id="_x0000_i1043"
src="cid:image001.gif@01CA0EC8.D015AD10"><o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td nowrap valign=top style='padding:0in 0in 11.25pt .25in'>
<p><strong><b><font size=1 color="#666666" face=Arial><span style='font-size:
8.5pt;font-family:Arial;color:#666666'>Nadezhda Ivanova</span></font></b></strong><font
size=1 color="#666666" face=Arial><span style='font-size:8.5pt;font-family:
Arial;color:#666666'><br>
<strong><b><font face=Arial><span style='font-family:Arial'>Software Engineer</span></font></b></strong><br>
<strong><b><font face=Arial><span style='font-family:Arial'>Software
Development</span></font></b></strong><b><span style='font-weight:bold'><br>
</span></b><br>
<a href="mailto:nadezhda.ivanova@postpath.com"><font color="#666666"
face="Times New Roman"><span style='font-family:"Times New Roman";color:#666666'>nadezhda.ivanova@postpath.com</span></font></a><o:p></o:p></span></font></p>
</td>
<td nowrap valign=top style='padding:0in 0in 7.5pt 15.0pt'>
<p style='margin-bottom:12.0pt'><strong><b><font size=1 color="#666666"
face=Arial><span style='font-size:8.5pt;font-family:Arial;color:#666666'>CISCO
SYSTEMS <st1:country-region w:st="on"><st1:place w:st="on">BULGARIA</st1:place></st1:country-region>
EOOD</span></font></b></strong><font size=1 color="#666666" face=Arial><span
style='font-size:8.5pt;font-family:Arial;color:#666666'><br>
<st1:address w:st="on"><st1:Street w:st="on">18 Macedonia Blvd.</st1:Street> <st1:City
w:st="on">Sofia</st1:City></st1:address> 1606<br>
<st1:country-region w:st="on"><st1:place w:st="on">Bulgaria</st1:place></st1:country-region><br>
<a href="http://www.cisco.com/global/BG/"><font color="#666666"
face="Times New Roman"><span style='font-family:"Times New Roman";color:#666666'>Cisco
home page</span></font></a><o:p></o:p></span></font></p>
</td>
<td width=200 style='width:150.0pt;padding:0in 0in 0in 0in'>
<p class=MsoNormal><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> <o:p></o:p></span></font></p>
</td>
</tr>
<tr>
<td style='padding:0in .25in 0in .25in'>
<p class=MsoNormal><font size=1 color="#009900" face=Arial><span
style='font-size:7.5pt;font-family:Arial;color:#009900'><img border=0
width=18 height=19 id="_x0000_i1044" src="cid:image002.gif@01CA0EC8.D015AD10"
alt="Think before you print.">Think before you print.<o:p></o:p></span></font></p>
</td>
<td width=232 colspan=2 style='width:174.0pt;padding:0in 0in 0in 0in'>
<p class=MsoNormal><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> <o:p></o:p></span></font></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>