[cifs-protocol] Information needed about security token default ACL

Dominic Salemno doms at microsoft.com
Fri Jul 17 09:24:20 MDT 2009

Nadezhda Ivanova,

We have received your inquiry and two engineers will be assigned to handle each concentration of the document in question. They shall follow-up with you shortly.

dominic salemno . senior support escalation engineer . protocols team
w: (980) 776-9082

-----Original Message-----
From: Nadezhda Ivanova [mailto:nadezhda.ivanova at postpath.com] 
Sent: Friday, July 17, 2009 8:46 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Information needed about security token default ACL


In the course of my work in implementing security descriptor inheritance in Directory service of Samba 4, I came across the following statement in MS-DTYP, 2.5.2
"The token also contains an ACL, Token.DefaultDACL, that serves as the DACL assigned by default to any objects created by the user. "

So, am I right to understand that this DACL is used when no nTSecurityDescriptor is provided by the incoming LDAP add request, and there is no defaultSecurityDescriptor for the objectClass.
If so, how is the Token.DefaultDACL constructed and when? Is this based on the user's credentials and how?

In addition, I have a question about the security descriptor creation algorithm described in MS-DTYP
One of the arguments of CreateSecurityDescriptor is:
CreatorDescriptor: Security descriptor for the new object provided by the creator of the object. Caller can pass NULL.

Am I right in understanding that this is either the nTSecurityDescriptor attribute provided by the user, or, in the lack thereof, the defaultSecurityDescriptor of the object class?

Best Regards,
Nadezhda Ivanova

More information about the cifs-protocol mailing list