[cifs-protocol] FW: Group Policy questions

Matthieu Patou mat+Informatique.Samba at matws.net
Tue Dec 22 14:56:23 MST 2009 

On 23/12/2009 00:47, Hongwei Sun wrote:
> Matthieu,
>
>     Your summary is a good recap of what we have done on this topic.   I have one clarification for the point below.
>
>          * All ACE for allowed object are wipped out when "translating" AD ACL to File ACL
>
>         When translating a ACL for DS object to a ACL for SYSVOL file object,  the ACEs with types of  ACCESS_ALLOWED_OBJECT_ACE_TYPE, ACCESS_DENIED_OBJECT_ACE_TYPE and SYSTEM_AUDIT_OBJECT_ACE_TYPE are not really deleted from the ACL.  Instead, for such a ACE, access mask in AceHeader is assigned to zero.
>    
Yeah I meant that when "translating" an AD ACL to a file ACL we do not 
care about it, for all those ACCESS_ALLOWED_OBJECT_ACE_TYPE in the AD no 
corresponding ACE in created.


>     Sebastian will follow up with you on your question regarding documenting the logic for ACE OI and CI flags.
>
> Thanks!
>
> Hongwei
>
> -----Original Message-----
> From: Matthieu Patou [mailto:mat+Informatique.Samba at matws.net]
> Sent: Friday, December 18, 2009 4:01 PM
> To: Sebastian Canevari
> Cc: Hongwei Sun; Interoperability Documentation Help; cifs-protocol at samba.org
> Subject: Re: FW: [cifs-protocol] Group Policy questions
>
> Hello Sebastian and Hongwei,
>
> Sorry for being silent on this.
>
> So if I try to sum up we agreed that:
>
> * in order to allow modification of ACL on files sdeffectiverights must
> have the flag  DACL_SECURITY_INFORMATION set, and the ACL must have the
> SE_DACL_PROTECTED set in the control flags.
> * in order to avoid a warning message ACL of Policy object must be
> synchronized with ACL in the files following this logic for the translation:
>
>
>         The specific rights in access mask for Active Directory object
> are defined in  5.1.3.2 of MS-ADTS as follows.
>
>             #define RIGHT_DS_CREATE_CHILD                   0x00000001
>             #define RIGHT_DS_DELETE_CHILD                   0x00000002
>             #define RIGHT_DS_LIST_CONTENTS                  0x00000004
>             #define ACTRL_DS_SELF                           0x00000008
>             #define RIGHT_DS_READ_PROPERTY                  0x00000010
>             #define RIGHT_DS_WRITE_PROPERTY                 0x00000020
>             #define RIGHT_DS_DELETE_TREE                    0x00000040
>             #define RIGHT_DS_LIST_OBJECT                    0x00000080
>             #define RIGHT_DS_CONTROL_ACCESS                 0x00000100
>
>         The specific rights in access mask for a file or directory object
>     are defined as
>     (http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx )
>
>             #define FILE_READ_DATA            ( 0x0001 )
>             #define FILE_LIST_DIRECTORY       ( 0x0001 )
>             #define FILE_WRITE_DATA           ( 0x0002 )
>             #define FILE_ADD_FILE             ( 0x0002 )
>             #define FILE_APPEND_DATA          ( 0x0004 )
>             #define FILE_ADD_SUBDIRECTORY     ( 0x0004 )
>             #define FILE_CREATE_PIPE_INSTANCE ( 0x0004 )
>             #define FILE_READ_EA              ( 0x0008 )
>             #define FILE_WRITE_EA             ( 0x0010 )
>             #define FILE_EXECUTE              ( 0x0020 )
>             #define FILE_TRAVERSE             ( 0x0020 )
>             #define FILE_DELETE_CHILD         ( 0x0040 )
>             #define FILE_READ_ATTRIBUTES      ( 0x0080 )
>             #define FILE_WRITE_ATTRIBUTES     ( 0x0100 )
>
>        The generic access rights that are common to all objects are
>
>             #define DELETE                    (0x00010000L)
>             #define READ_CONTROL              (0x00020000L)
>             #define WRITE_DAC                 (0x00040000L)
>             #define WRITE_OWNER               (0x00080000L)
>             #define SYNCHRONIZE               (0x00100000L)
>             #define STANDARD_RIGHTS_ALL       (0x001F0000L)
>
>
>         The following logic is used by GPMC to convert a access mask for
> DS object to a access mask for SYSVOL.
>
>          DSAccessMask as Input;
>          SYSVOLAccessMask as Output;
>           SYSVOLAccessMask  = DSAccessMask;
>          SYSVOLAccessMask&=  STANDARD_RIGHTS_ALL ;
>
>          if ((DSAccessMask&    RIGHT_DS_READ_PROPERTY) AND
>               (DSAccessMask&    RIGHT_DS_LIST_CONTENTS))
>              SYSVOLAccessMask  |= (SYNCHRONIZE | FILE_LIST_DIRECTORY |
>                                  FILE_READ_ATTRIBUTES | FILE_READ_EA |
>                                  FILE_READ_DATA | FILE_EXECUTE);
>
>          if (DSAccessMask&    RIGHT_DS_WRITE_PROPERTY)
>               SYSVOLAccessMask  |= (SYNCHRONIZE | FILE_WRITE_DATA |
>                                  FILE_APPEND_DATA | FILE_WRITE_EA |
>                                  FILE_WRITE_ATTRIBUTES | FILE_ADD_FILE |
>                                  FILE_ADD_SUBDIRECTORY);
>
>
>           if (DSAccessMask&    RIGHT_DS_CREATE_CHILD)
>               SYSVOLAccessMask  |= (FILE_ADD_SUBDIRECTORY |
>     FILE_ADD_FILE);
>
>
>           if (DSAccessMask&    RIGHT_DS_DELETE_CHILD)
>               SYSVOLAccessMask  |= FILE_DELETE_CHILD;
>
>
> * All ACE for allowed object are wipped out when "translating" AD ACL to
> File ACL
> * For the following ACE OI and CI flags are always set in the resulting
> file ACE:
>
> ACCESS_ALLOWED_ACE_TYPE
> ACCESS_DENIED_ACE_TYPE
> SYSTEM_AUDIT_ACE_TYPE
>
>
>
> Am I right ?
>
> For the part that are "hardcoded" like this will it change any time soon
> ? Also do you plan to document this in any kind of document ? if so
> which and when ?
>
>
>
> Regards.
> Matthieu.
>
>

More information about the cifs-protocol mailing list