<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.default, li.default, div.default
{mso-style-name:default;
mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
text-autospace:none;
font-size:12.0pt;
font-family:"Verdana","sans-serif";
color:black;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Arial","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Arial","sans-serif";
color:navy;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hi Nadezhda:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I have just sent you the answer for the security descriptor
algorithm question. The work on “owner and group rules in MS-ADTS” is in
progress and I’ll be in touch as soon as I have an answer.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Thanks for your patience.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Regards,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Obaid Farooqi<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Sr. Support Escalation Engineer | Microsoft<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Nadezhda Ivanova
[mailto:nadezhda.ivanova@postpath.com] <br>
<b>Sent:</b> Tuesday, August 11, 2009 5:33 AM<br>
<b>To:</b> Obaid Farooqi<br>
<b>Cc:</b> pfif@tridgell.net; cifs-protocol@samba.org<br>
<b>Subject:</b> RE: Question about owner and group defaulting rules in MS-ADTS<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'>Hi Obaid,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'>Is there any progress on this issue, or my other enquiry about the
security descriptor creation algorithms? It’s been a while now and we need this
information to be able to include the security implementation in the next alpha
of Samba 4.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'>Best Regards,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'>Nadezhda Ivanova<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:navy'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div class=MsoNormal align=center style='text-align:center'>
<hr size=2 width="100%" align=center>
</div>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Obaid Farooqi <br>
<b>Sent:</b> Wednesday, August 05, 2009 6:33 PM<br>
<b>To:</b> Nadezhda Ivanova<br>
<b>Cc:</b> pfif@tridgell.net; cifs-protocol@samba.org<br>
<b>Subject:</b> RE: Question about owner and group defaulting rules in MS-ADTS</span><o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hi Nadezhda:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I have assumed the ownership of this issue. I’ll keep you
updated on the progress as appropriate.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If you have any further question/clarification on this issue,
please feel free to contact me.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Regards,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Obaid Farooqi<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Sr. Support Escalation Engineer | Microsoft<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Bill Wesse <br>
<b>Sent:</b> Tuesday, August 04, 2009 8:13 AM<br>
<b>To:</b> Nadezhda Ivanova; Interoperability Documentation Help<br>
<b>Cc:</b> pfif@tridgell.net; cifs-protocol@samba.org<br>
<b>Subject:</b> RE: Question about owner and group defaulting rules in MS-ADTS<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Good morning! I have created case SRX090804600022 to track our
work for your request. One of my team colleagues will take ownership of the
case and contact you shortly.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>Regards,</span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:navy'><br>
</span><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>Bill Wesse</span></b><span style='font-size:11.0pt;font-family:
"Calibri","sans-serif";color:navy'><br>
</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL
TEAM</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:navy'><br>
</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>8055 Microsoft Way</span><span style='font-size:11.0pt;font-family:
"Calibri","sans-serif";color:navy'><br>
</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>Charlotte, NC 28273</span><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:navy'><br>
</span><span style='font-size:10.0pt;font-family:"Courier New";color:black'>TEL:
+1(980) 776-8200<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";
color:black'>CELL: +1(704) 661-5438</span><span style='font-size:11.0pt;
font-family:"Courier New";color:navy'><br>
</span><span style='font-size:10.0pt;font-family:"Courier New";color:black'>FAX:
+1(704) 665-9606<o:p></o:p></span></p>
</div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Nadezhda Ivanova
[mailto:nadezhda.ivanova@postpath.com] <br>
<b>Sent:</b> Tuesday, August 04, 2009 3:58 AM<br>
<b>To:</b> Interoperability Documentation Help<br>
<b>Cc:</b> pfif@tridgell.net; cifs-protocol@samba.org<br>
<b>Subject:</b> Question about owner and group defaulting rules in MS-ADTS<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Hi,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>In
MS-ADTS, section 7.1.3.6, is written the following:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=default><span style='font-size:9.0pt'>The GROUP field is defaulted as
follows: <o:p></o:p></span></p>
<p class=default style='text-indent:.5in'><span style='font-size:9.0pt;
font-family:Wingdings'>§ </span><span style='font-size:9.0pt'>If the DAG was
used as the default OWNER field value, then the same SID is written into the
GROUP field. <o:p></o:p></span></p>
<p class=default><span style='font-size:9.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>However,
it appears that the creating user’s primary group is ALWAYS used as the default
group, regardless of partition or owner. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Example:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>We
create an object in the domain partition, say an OU, without providing an
nTSecurityDescriptor. The creating user is a member of Domain Admins, with
primary group Domain Users, so the DAG is Domain admins as per the DAG rules in
the same document. Domain Admins is used as the OWNER in the new object’s
security descriptor. According to the above statement, Domain Admins should
also be set as the default group. However, in a Windows 2003 server, Domain
Users is defaulted as the group in the new object’s descriptor. If the user’s
primary group is changed to Domain Admins, then the group of the new object is
defaulted to Domain Admins.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The
above behavior is consistent with CreateSecurityDescriptor algorithm from
MS-DTYP, where the primary group of the security token is assigned if a group
is not provided. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Could
you please clarify the contradiction between MS-ADTS, MS-DTYP and actual behavior?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Regards,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Nadezhda
Ivanova<o:p></o:p></span></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=543
style='width:407.25pt'>
<tr>
<td colspan=3 style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><img width=110 height=73 id="_x0000_i1025"
src="cid:image001.gif@01CA1A6B.DF88D570"><o:p></o:p></p>
</td>
</tr>
<tr>
<td nowrap valign=top style='padding:0in 0in 11.25pt .25in'>
<p><strong><span style='font-size:8.5pt;font-family:"Arial","sans-serif";
color:#666666'>Nadezhda Ivanova</span></strong><span style='font-size:8.5pt;
font-family:"Arial","sans-serif";color:#666666'><br>
<strong><span style='font-family:"Arial","sans-serif"'>Software Engineer</span></strong><br>
<strong><span style='font-family:"Arial","sans-serif"'>Software Development</span></strong><b><br>
</b><br>
<a href="mailto:nadezhda.ivanova@postpath.com"><span style='font-family:"Times New Roman","serif";
color:#666666'>nadezhda.ivanova@postpath.com</span></a><o:p></o:p></span></p>
</td>
<td nowrap valign=top style='padding:0in 0in 7.5pt 15.0pt'>
<p style='margin-bottom:12.0pt'><strong><span style='font-size:8.5pt;
font-family:"Arial","sans-serif";color:#666666'>CISCO SYSTEMS BULGARIA EOOD</span></strong><span
style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#666666'><br>
18 Macedonia Blvd. Sofia 1606<br>
Bulgaria<br>
<a href="http://www.cisco.com/global/BG/"><span style='font-family:"Times New Roman","serif";
color:#666666'>Cisco home page</span></a><o:p></o:p></span></p>
</td>
<td width=155 style='width:116.25pt;padding:0in 0in 0in 0in'>
<p class=MsoNormal> <o:p></o:p></p>
</td>
</tr>
<tr>
<td style='padding:0in .25in 0in .25in'>
<p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif";
color:#009900'><img border=0 width=18 height=19 id="_x0000_i1026"
src="cid:image002.gif@01CA1A6B.DF88D570" alt="Think before you print.">Think
before you print.<o:p></o:p></span></p>
</td>
<td width=362 colspan=2 style='width:271.5pt;padding:0in 0in 0in 0in'>
<p class=MsoNormal> <o:p></o:p></p>
</td>
</tr>
</table>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>