[cifs-protocol] Information needed about security token default ACL

Obaid Farooqi obaidf at microsoft.com
Mon Jul 27 15:05:05 MDT 2009 

Hi Nadezhda:
I have answers to some of your questions. I am providing the answers in a Q&A form as follows. My colleague Edgar is researching your questions on Security Descriptor Creation algorithm and will contact you with the relevant information as appropriate.

Q. So, am I right to understand that this DACL is used when no nTSecurityDescriptor is provided by the incoming LDAP add request, and there is no defaultSecurityDescriptor for the objectClass.

A. First, let me clarify that nTSecurityDescriptor is a property of an object. The security descriptor that is provided by the caller is called CreatorDescriptor.

Looking at the algorithm in section "2.5.2.4 ComputeACL" of [MS-DTYP], following are the conditions when default DACL is used for creating the DACL in the security descriptor of the object:
1. Caller has not provided a security descriptor (CreatorDescriptor)
2. The parent object does not have inheritable ACE's

The role of the defaultSecurityDescriptor will be clarified in the answer to the question about security Description Creation algorithm.

Q. If so, how is the Token.DefaultDACL constructed and when? Is this based on the user's credentials and how?

A. Default DACL is part of user Access Token. Access Token is created by Local Security authority when user logs on. The Default DACL is a static list of ACE's and is not derived from the credentials. The default DACL contains the following ACCESS_ALLOWED_ACE_TYPE ACE's
        SYSTEM: ALL Access (Generic all) (S-1-5-18)
      Owner:  ALL Access (Generic all)
      LOGIN_SID: Generic Read | Generic Execute


Please let me know if it answers your question. If it yes, I'll consider this issue resolved.

Regards,
Obaid Farooqi
Sr. Support Escalation Engineer | Microsoft

-----Original Message-----
From: Nadezhda Ivanova [mailto:nadezhda.ivanova at postpath.com]
Sent: Friday, July 17, 2009 7:46 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Information needed about security token default ACL

Hi,

In the course of my work in implementing security descriptor inheritance in Directory service of Samba 4, I came across the following statement in MS-DTYP, 2.5.2
"The token also contains an ACL, Token.DefaultDACL, that serves as the DACL assigned by default to any objects created by the user. "

So, am I right to understand that this DACL is used when no nTSecurityDescriptor is provided by the incoming LDAP add request, and there is no defaultSecurityDescriptor for the objectClass.
If so, how is the Token.DefaultDACL constructed and when? Is this based on the user's credentials and how?

In addition, I have a question about the security descriptor creation algorithm described in MS-DTYP 2.5.2.3
One of the arguments of CreateSecurityDescriptor is:
CreatorDescriptor: Security descriptor for the new object provided by the creator of the object. Caller can pass NULL.

Am I right in understanding that this is either the nTSecurityDescriptor attribute provided by the user, or, in the lack thereof, the defaultSecurityDescriptor of the object class?

Best Regards,
Nadezhda Ivanova

More information about the cifs-protocol mailing list