<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40"
xmlns:ns1="http://schemas.microsoft.com/sharepoint/soap/workflow/"
xmlns:ns2="http://schemas.microsoft.com/office/2006/digsig-setup"
xmlns:ns3="http://schemas.microsoft.com/office/2006/digsig"
xmlns:ns4="http://schemas.openxmlformats.org/package/2006/digital-signature"
xmlns:ns5="http://schemas.openxmlformats.org/markup-compatibility/2006"
xmlns:ns0="http://schemas.microsoft.com/office/2004/12/omml"
xmlns:ns6="http://schemas.openxmlformats.org/package/2006/relationships"
xmlns:ns7="http://microsoft.com/sharepoint/webpartpages"
xmlns:ns8="http://schemas.microsoft.com/exchange/services/2006/types"
xmlns:ns9="http://schemas.microsoft.com/exchange/services/2006/messages"
xmlns:ns10="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/"
xmlns:ns11="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService"
xmlns:ns12="urn:schemas-microsoft-com:">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--a:link
{mso-style-priority:99;}
span.MSOHYPERLINK
{mso-style-priority:99;}
a:visited
{mso-style-priority:99;}
span.MSOHYPERLINKFOLLOWED
{mso-style-priority:99;}
p.MSOPLAINTEXT
{mso-style-priority:99;}
li.MSOPLAINTEXT
{mso-style-priority:99;}
div.MSOPLAINTEXT
{mso-style-priority:99;}
p.MSOLISTPARAGRAPH
{mso-style-priority:34;}
li.MSOLISTPARAGRAPH
{mso-style-priority:34;}
div.MSOLISTPARAGRAPH
{mso-style-priority:34;}
span.PLAINTEXTCHAR
{mso-style-priority:99;}
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:Calibri;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.PlainTextChar
{font-family:Consolas;}
p.msolistparagraph, li.msolistparagraph, div.msolistparagraph
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:Calibri;}
span.CodeChar
{font-family:"Courier New";
color:black;}
p.Code, li.Code, div.Code
{margin-top:0in;
margin-right:0in;
margin-bottom:1.0pt;
margin-left:.15in;
font-size:11.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Hi Edgar,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>So, if we must call ComputeInheritedACLFromParent with
defaultSecurityDescriptor as parent, does that mean that
CreateSecurityDescriptor must have another argument to allow passing of the
defaultSecurityDescriptor? And I suppose the issue of DEFAULT_DESCRIPTOR_FOR_OBJECT
usage will be clarified in the updated MS-ADTS? When can we expect this update
to be available?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Also, there is something I do not understand in your answer.
ComputeInheritedACLFromParent returns only the list of ACEs from the input ACL
that are inheritable, i.e have CI ot OI flag set – see the algorithm in
MS-DTYP, its pretty straightforward. IT only concatenates inheritable ACE’s.
So, if we pass defaultSecurityDescriptor to ComputeInheritedACLFromParent, we
will only get the inheritable ACE’s from defaultSecurityDescriptor. That
is not the case, however, as I have established experimentally. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>For example, lets take the security descriptor of a
domain-dns object in Win 2008. It has no parent as it is an NC, its descriptor
looks like this:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3191434175-1265308384-3577286990-498)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;;RP;;;WD)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;;RPLCLORC;;;AU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;CI;LC;;;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;;RPRC;;;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;;LCRPLORC;;;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;CRRPWP;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=FR style='font-size:10.0pt;
font-family:Arial'>S:(AU;SA;WDWOWP;;;WD)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=FR style='font-size:10.0pt;
font-family:Arial'>(AU;SA;CR;;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=FR style='font-size:10.0pt;
font-family:Arial'>(AU;SA;CR;;;DU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=FR style='font-size:10.0pt;
font-family:Arial'>(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=FR style='font-size:10.0pt;
font-family:Arial'>(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=FR style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>And the defaultSecurityDescriptor of domain-DNS class is:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3191434175-1265308384-3577286990-498)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;;RP;;;WD)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;;RPLCLORC;;;AU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;CI;LC;;;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;;RPRC;;;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(A;;LCRPLORC;;;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OA;CIIO;CRRPWP;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=FR style='font-size:10.0pt;
font-family:Arial'>S:(AU;SA;WDWOWP;;;WD)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=FR style='font-size:10.0pt;
font-family:Arial'>(AU;SA;CR;;;BA)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=FR style='font-size:10.0pt;
font-family:Arial'>(AU;SA;CR;;;DU)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=FR style='font-size:10.0pt;
font-family:Arial'>(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>They are absolutely identical, and both contain non-inheritable
ace’s which would not be in the domain object’s descriptor if
the defaultSecurityDescriptor was processed by ComputeInheritableFromParent, as
you write. It could be that the algorithm is not correct, I am still waiting
for an update from Obaid on an issue about that. I am sorry but it does not
make sense to me….<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Regards,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Nadezhda Ivanova</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=2 face=Calibri><span style='font-size:11.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Arial><span style='font-size:12.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt;font-family:"Times New Roman"'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> Edgar Olougouna
[mailto:edgaro@microsoft.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Thursday, August 06, 2009
5:47 PM<br>
<b><span style='font-weight:bold'>To:</span></b> Nadezhda Ivanova<br>
<b><span style='font-weight:bold'>Cc:</span></b> 'pfif@tridgell.net';
'cifs-protocol@samba.org'<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: Information needed
about security token default ACL</span></font><font size=3
face="Times New Roman"><span style='font-size:12.0pt;font-family:"Times New Roman"'><o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=2 face=Calibri><span style='font-size:11.0pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>Hi
Nadezhda,<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>We
have completed investigation of your request. The MS-ADTS document will be
updated to address defaulting rules related to defaultSecurityDescriptor when
assigning security descriptors to AD objects. Our revised response for your
inquiry is as follows. <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><b><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D;font-weight:bold'>Condition 1 : Parent
contains inheritable ACEs<o:p></o:p></span></font></b></p>
<p class=msolistparagraph><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>Step 1. If the control flags on
the client allow inheritance then the inheritable ACEs from the parent form the
newly created object’s initial DACL and SACL <o:p></o:p></span></font></p>
<p class=msolistparagraph><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>Step 2. If the control flags on
the client do not allow inheritance set initial DACL and SACL to NULL<o:p></o:p></span></font></p>
<p class=msolistparagraph><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>Step 3. If an explicit security
descriptor is provided by the client, that is merged with the initial DACL and
SACL.<o:p></o:p></span></font></p>
<p class=msolistparagraph><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>Step 4. If an explicit security
descriptor is not provided by the client then the DACL and SACL from the
defaultSecurityDescriptor are merged with the initial DACL and SACL. Method
ComputeInheritedACLFromParent [MS-DTYP] section 2.5.2.6 should be called
passing DACL and SACL from the defaultSecurityDescriptor as the parameters. <o:p></o:p></span></font></p>
<p class=msolistparagraph><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=msolistparagraph><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>In ComputeACL method [MS-DTYP] section
2.5.2.4 a call to ComputeInheritedACLFromParent should to be made in the
highlighted area :<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'><o:p> </o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>Set ComputedACL to NULL<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>Set ComputedControl to NULL<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'><o:p> </o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>CALL ContainsInheritableACEs WITH ParentACL RETURNING
result<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'><o:p> </o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>IF result = TRUE THEN<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> // ParentACL contains inheritable ACEs<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> </span></font><font color=black><span
style='color:windowtext'>IF(CreatorACL is not present) OR<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt;color:windowtext'>
((CreatorACL is present) AND<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt;color:windowtext'>
(AutoInheritFlags contains DEFAULT_DESCRIPTOR))<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt;color:windowtext'> THEN<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt;color:windowtext'>
// Use only the inherited ACEs from the parent<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt;color:windowtext'>
CALL ComputeInheritedACLFromParent WITH<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt;color:windowtext'>
ParentACL, IsContainerObject, ObjectTypes<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt;color:windowtext'>
RETURNING NextACL<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt;color:windowtext'>
CALL PostProcessACL WITH<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt;color:windowtext'>
NextACL, Owner, Group, GenericMapping<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt;color:windowtext'>
RETURNING FinalACL<o:p></o:p></span></font></p>
<p class=Code><font size=3 color=black face=Calibri><span style='font-size:
12.0pt;font-family:Calibri;color:windowtext'>
<span style='background:yellow'>Here ComputeInheritedACLFromParent should be
called passing defaultSecurityDescriptor. The ACLs obtained via this call
should be merged with the FinalACL above. That will be the new resultant
FinalACL</span><o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt;color:windowtext'> Set ComputedACL
to FinalACL</span></font><font size=1 color=black><span style='font-size:8.0pt;
color:windowtext'><o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt;color:windowtext'> ENDIF<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'><o:p> </o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> IF ((CreatorACL is present) AND<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> (AutoInheritFlags does
not contain DEFAULT_DESCRIPTOR))<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> THEN<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> CALL
PreProcessACLFromCreator WITH CreatorACL<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> RETURNING
PreACL<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'><o:p> </o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> CALL
ComputeInheritedACLFromCreator WITH<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
PreACL, IsContainerObject, ObjectTypes<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> RETURNING
TmpACL<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'><o:p> </o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
IF((ComputeType = DACL_COMPUTE) AND<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
(CreatorControl does not contain DACL_PROTECTED) AND<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
(AutoInheritFlags contains DACL_AUTO_INHERIT flag))<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> THEN<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
// Compute the inherited ACEs from the parent<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
CALL ComputeInheritedACLFromParent WITH<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
ParentACL, IsContainerObject, ObjectTypes<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
RETURNING ParentACL<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
Append ParentACL.ACEs to TmpACL.ACEs<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
Add DACL_AUTO_INHERITED to ComputedControl<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> ELSE <o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
IF ((ComputeType = SACL_COMPUTE) AND<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
(CreatorControl does not contain SACL_PROTECTED) AND<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
(AutoInheritFlags contains SACL_AUTO_INHERIT flag))<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
THEN<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
// Compute the inherited ACEs from the parent<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
CALL ComputeInheritedACLFromParent WITH<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
ParentACL,
IsContainerObject, ObjectTypes<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
RETURNING ParentACL<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
Append ParentACL.ACEs to TmpACL.ACEs<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
Add SACL_AUTO_INHERITED to ComputedControl<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>
ENDIF<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> ENDIF<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> ENDIF<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'><o:p> </o:p></span></font></p>
<p class=Code><font size=3 color=black face=Calibri><span style='font-size:
12.0pt;font-family:Calibri'> <span style='background:yellow'>If
(CREATORACL is absent)<o:p></o:p></span></span></font></p>
<p class=Code><font size=3 color=black face=Calibri><span style='font-size:
12.0pt;font-family:Calibri;background:yellow'>
Here ACLs should be obtained from the parent and be merged with those from the defaultSecurityDescriptor.
Both via calls to ComputeInheritedACLFromParent. <o:p></o:p></span></font></p>
<p class=Code><font size=3 color=black face=Calibri><span style='font-size:
12.0pt;font-family:Calibri;background:yellow'> ENDIF</span></font><font
size=3 face=Calibri><span style='font-size:12.0pt;font-family:Calibri'><o:p></o:p></span></font></p>
<p class=Code><font size=1 color=black face="Courier New"><span
style='font-size:8.0pt'><o:p> </o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> CALL PostProcessACL WITH<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> TmpACL, Owner, Group,
GenericMapping<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> RETURNING ProcessedACL<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'><o:p> </o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'> Set ComputedACL to ProcessedACL<o:p></o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'><o:p> </o:p></span></font></p>
<p class=Code><font size=2 color=black face="Courier New"><span
style='font-size:11.0pt'>ELSE // ParentACL does not contain inheritable ACEs<o:p></o:p></span></font></p>
<p class=msolistparagraph><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=msolistparagraph><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><b><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D;font-weight:bold'>Condition 2 : Parent
does not contain inheritable ACEs<o:p></o:p></span></font></b></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>
If the parentACL does not contain inheritable ACEs then check to see if a
defaultSecurityDescriptor for the objectClass under consideration is present. <o:p></o:p></span></font></p>
<p class=MsoNormal style='text-indent:.5in'><font size=2 color="#1f497d"
face=Calibri><span style='font-size:11.0pt;color:#1F497D'>If defaultSecurityDescriptor
is <b><span style='font-weight:bold'>present</span></b> then call
ComputeInheritedACLFromParent by passing (<b><span style='font-weight:bold'>ACL
from defaultSecurityDescriptor</span></b>) in place of <b><span
style='font-weight:bold'>ParentACL</span></b>. That is the following part in
the ComputeACL method [MS-DTYP] section 2.5.2.4.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face="Courier New"><span style='font-size:11.0pt;color:#548DD4'> </span></font><font
color="#548dd4" face=Calibri><span style='font-family:Calibri;color:#548DD4'>CALL
ComputeInheritedACLFromParent WITH<o:p></o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'>
<b><span style='font-weight:bold'>ParentACL</span></b>, IsContainerObject,
ObjectTypes<o:p></o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'>
RETURNING NextACL<o:p></o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'>
CALL PostProcessACL WITH<o:p></o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'>
NextACL, Owner, Group, GenericMapping<o:p></o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'>
RETURNING FinalACL<o:p></o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'>
Set ComputedACL to FinalACL<o:p></o:p></span></font></p>
<p class=Code><font size=2 color="#548dd4" face=Calibri><span style='font-size:
11.0pt;font-family:Calibri;color:#548DD4'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>In this case the security information in
the token need not be used. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=MsoNormal><b><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D;font-weight:bold'>Condition 3 : Parent
does not contain inheritable ACEs AND defaultSecurityDescriptor for the
particular object is absent<o:p></o:p></span></font></b></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>If the defaultSecurityDescriptor of the
particular objectClass under consideration is <b><span style='font-weight:bold'>absent</span></b>
then make use of Token as described in the ComputeACL method.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'>ELSE
// ParentACL does not contain inheritable ACEs<o:p></o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'>IF
CreatorACL = NULL THEN<o:p></o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'>
// No ACL supplied for the object<o:p></o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'>
IF (ComputeType = DACL_COMPUTE) THEN<o:p></o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'>
Set ComputedACL to Token.DefaultDACL<o:p></o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'>
ELSE<o:p></o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'>
// No default for SACL; left as NULL<o:p></o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'>
ENDIF<o:p></o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'><o:p> </o:p></span></font></p>
<p class=Code style='margin-left:.5in'><font size=2 color="#548dd4"
face=Calibri><span style='font-size:11.0pt;font-family:Calibri;color:#548DD4'>
ELSE<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>Let
us know if you need further assistance on this topic. <o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>Best
regards,<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>Edgar<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>-----Original
Message-----<br>
From: Nadezhda Ivanova [mailto:nadezhda.ivanova@postpath.com] <br>
Sent: Friday, July 31, 2009 6:53 AM<br>
To: Edgar Olougouna<br>
Cc: pfif@tridgell.net; cifs-protocol@samba.org<br>
Subject: RE: Information needed about security token default ACL<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>Hi
Edgar,<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>Thank
you for your explanation. It answered a lot of questions, but also raised some
more, see below:<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
-----Original Message-----<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
From: Edgar Olougouna [mailto:edgaro@microsoft.com]<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Sent: Thursday, July 30, 2009 5:37 PM<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
To: Nadezhda Ivanova<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Cc: 'pfif@tridgell.net'; 'cifs-protocol@samba.org'<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Subject: RE: Information needed about security token default ACL<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Hi Nadezhda,<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
This response relates to the portion of your inquiry regarding the<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
CreateSecurityDescriptor algorithm. I hope the following information will<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
clarify how CreatorDescriptor and defaultSecuritiDescriptor relate to the<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
CreateSecurityDescriptor procedure.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
The CreatorDescriptor (optional) is a security descriptor explicitly<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
provided by the creator of the object. The creator of the object is the<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
subject that is creating the object. A subject is a thread executing in<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
the security context provided by an access token.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
[MS-ADTS] Section 7 provides additional information that may help on your<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
topic. Section "7.1.3 Security Descriptor Requirements" details the<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
parameters used by the CreateSecurityDescriptor algorithm to compute the<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
resultant security descriptor value of an AD object, for instance<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
AutoInheritFlags: DACL_AUTO_INHERIT | SACL_AUTO_INHERIT.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Note these key points when an ACL is built for an AD object compared to<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
other types of objects:<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
* Generic inheritable ACEs apply to all
types of child objects.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Object-specific inheritable ACEs apply only to a specific type of child<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
object.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
* If there is no supplied security
descriptor, no parent-inheritable<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
ACEs, the operating system uses the ACL from the defaultSecurityDescriptor<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
in the classSchema object.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Based on the CreateSecurityDescriptor procedure from [MS-DTYP] 2.5.2.3,<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
you can apply the following rules to ACL assignment for a new AD object:<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
If an explicit security descriptor (CreatorDescriptor) is provided by the<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
client, then that forms the object's initial DACL and SACL. If the<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
client's controls allow inheritance then the inheritable ACEs from the<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
parent are merged into the object's initial DACL and SACL.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
If the client does not provide an explicit security descriptor then the<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
inheritable ACEs from the parent are merged into the new object's DACL and<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
SACL. For details please refer to [MS-DTYP] section 2.5.2.4 ComputeACL<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
method. If the parent contains object-specific inheritable ACEs then the<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
defaultSecurityDescriptor is not used during the security descriptor<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
creation process for the newly added object.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>[Nadezhda
Ivanova]<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>Above
you state that defaultSecurityDescriptor is used if there are NO
inheritable ACE's, here you say it's used if there are no Object-Specific
Inheritable ACE's... If there are non-object specific inheritable ACE's , do we
merge them in with the ace's from the defaultSecurityDescriptor?<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
If the parent does not contain object-specific inheritable ACEs then the<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
defaultSecurityDescriptor from the Active Directory schema for the object<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
type is used. Following the definition of method ComputeACL in [MS-DTYP]<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
2.5.2.4, method ComputeInheritedACLFromParent [MS-DTYP] section 2.5.2.6<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
can be called by passing ACLs from the defaultSecurityDescriptor as the<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
parameters.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>[Nadezhda
Ivanova]<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>I
need clarification here. By definition ComputeInheritedACLFromParent accepts
the Parent's descriptor and returns the set of ACE's to be inherited by the new
object. How exactly do you use it with defaultSecurityDescriptor's ACE?<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>I
assume you mean the following part of computeACL:<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>IF
result = TRUE<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>
THEN // ParentACL contains inheritable ACEs<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>
IF(CreatorACL is not present) OR ((CreatorACL is
present)
AND(AutoInheritFlags contains DEFAULT_DESCRIPTOR))<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>
THEN // Use only the inherited ACEs from the
parent<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>
CALL ComputeInheritedACLFromParent WITH
ParentACL,
IsContainerObject, ObjectTypes<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>
RETURNING NextACL<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>
CALL PostProcessACL WITH NextACL, Owner, Group, GenericMapping RETURNING
FinalACL<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>
Set ComputedACL to FinalACL<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>
ENDIF<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>Here
is the description of DEFAULT_DESCRIPTOR:<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>DEFAULT_DESCRIPTOR_FOR_OBJECT:
Selects the CreatorDescriptor as the default security descriptor provided that
no object type specific ACEs are inherited from the parent. If such ACEs do get
inherited, CreatorDescriptor is ignored.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>So,
it appears that the defaultSecurityDescriptor is passed on as
CreatorDescriptor, and the DEFAULT_DESCRIPTOR_FOR_OBJECT flag is raised in this
case. How does that connect with calling ComputeInheritedACLFromParent with
defaultSecurityDescriptors ACE's.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>Also,
the above portion of the algorithm appears to always disregard CreatorACL if
the flag is raised, and not if the flag is raised AND the parent contains
Object-Specific inheritable ACES, as the flag's description and your answer
state. So, what am I missing here?<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
If the Active Directory schema does not specify a<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
defaultSecurityDescriptor for the object type then the security<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
information in the requestor's token is used. For details about the usage<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
of the requestor's token please refer [MS-DTYP] Section 2.5.2.4<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
ComputeACL.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Please let me know if you need further assistance on this topic.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Best regards,<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Edgar<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
-----Original Message-----<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
From: Nadezhda Ivanova [mailto:nadezhda.ivanova@postpath.com]<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Sent: Friday, July 17, 2009 7:46 AM<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
To: Interoperability Documentation Help<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Cc: pfif@tridgell.net; cifs-protocol@samba.org<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Subject: Information needed about security token default ACL<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Hi,<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
In the course of my work in implementing security descriptor inheritance<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
in Directory service of Samba 4, I came across the following statement in<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
MS-DTYP, 2.5.2<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
"The token also contains an ACL, Token.DefaultDACL, that serves as the<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
DACL assigned by default to any objects created by the user. "<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
So, am I right to understand that this DACL is used when no<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
nTSecurityDescriptor is provided by the incoming LDAP add request, and<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
there is no defaultSecurityDescriptor for the objectClass.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
If so, how is the Token.DefaultDACL constructed and when? Is this based on<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
the user's credentials and how?<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
In addition, I have a question about the security descriptor creation<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
algorithm described in MS-DTYP 2.5.2.3<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
One of the arguments of CreateSecurityDescriptor is:<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
CreatorDescriptor: Security descriptor for the new object provided by the<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
creator of the object. Caller can pass NULL.<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Am I right in understanding that this is either the nTSecurityDescriptor<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
attribute provided by the user, or, in the lack thereof, the<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
defaultSecurityDescriptor of the object class?<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Best Regards,<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'>>
Nadezhda Ivanova<o:p></o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
<p class=MsoPlainText><font size=2 face=Consolas><span style='font-size:10.5pt'><o:p> </o:p></span></font></p>
</div>
</div>
</body>
</html>