[cifs-protocol] Question about owner and group defaulting rules in MS-ADTS

Nadezhda Ivanova nadezhda.ivanova at postpath.com
Mon Aug 17 05:47:04 MDT 2009 

Hi Obaid,
Thank you for the attached information. I think it answers the question. Will let you know if something else comes up, but at this point this seems reasonable.
 
Regards,
Nadezhda Ivanova
 
 
From: Obaid Farooqi [mailto:obaidf at microsoft.com] 

Sent: Friday, August 14, 2009 7:12 PM

 To: Nadezhda Ivanova

 Cc: pfif at tridgell.net; cifs-protocol at samba.org

 Subject: RE: Question about owner and group defaulting rules in MS-ADTS

 
Hi Nadezhda:
We have finished our investigation on "Owner and Group Defaulting Rules". In a future version of MS-ADTS, section 7.1.3.6 and 7.1.3 will be modified. Please find the PDF version of modifications attached to this email.
 
Please let me know if this answers your question. If yes, I'll consider this issue resolved.
 
Regards,
Obaid Farooqi
Sr. Support Escalation Engineer | Microsoft
 
 
From: Nadezhda Ivanova [mailto:nadezhda.ivanova at postpath.com] 

Sent: Tuesday, August 04, 2009 2:58 AM

 To: Interoperability Documentation Help

 Cc: pfif at tridgell.net; cifs-protocol at samba.org

 Subject: Question about owner and group defaulting rules in MS-ADTS


 
Hi,
In MS-ADTS, section 7.1.3.6, is written the following:
 
The GROUP field is defaulted as follows: 
§ If the DAG was used as the default OWNER field value, then the same SID is written into the GROUP field. 

However, it appears that the creating user's primary group is ALWAYS used as the default group, regardless of partition or owner. 
Example:
We create an object in the domain partition, say an OU, without providing an nTSecurityDescriptor. The creating user is a member of Domain Admins, with primary group Domain Users, so the DAG is Domain admins as per the DAG rules in the same document. Domain Admins is used as the OWNER in the new object's security descriptor. According to the above statement, Domain Admins should also be set as the default group. However, in a Windows 2003 server, Domain Users is defaulted as the group in the new object's descriptor. If the user's primary group is changed to Domain Admins, then the group of the new object is defaulted to Domain Admins.
 
The above behavior is consistent with CreateSecurityDescriptor algorithm from MS-DTYP, where the primary group of the security token is assigned if a group is not provided. 

Could you please clarify the contradiction between MS-ADTS, MS-DTYP and actual behavior?
 
Regards,
Nadezhda Ivanova
	
Nadezhda Ivanova

 Software EngineerSoftware Development

 nadezhda.ivanova at postpath.com	CISCO SYSTEMS BULGARIA EOOD

 18 Macedonia Blvd. Sofia 1606

 Bulgaria

 	 	
Think before you print.	 	
 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20090817/f52122a3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 837 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20090817/f52122a3/attachment-0002.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 87 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20090817/f52122a3/attachment-0003.gif>

More information about the cifs-protocol mailing list