[cifs-protocol] Information needed about security token default ACL

Nadezhda Ivanova nadezhda.ivanova at postpath.com
Tue Jul 28 17:17:58 MDT 2009 

Hi Obaid,
Yes, I think this issue is clear.
Thank you very much for your help!

Regards,
Nadezhda Ivanova
----- Original Message -----
> From: Obaid Farooqi <obaidf at microsoft.com>
> To: Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
> Cc: pfif at tridgell.net <pfif at tridgell.net>, cifs-protocol at samba.org <cifs-protocol at samba.org>
> Sent: Wednesday, July 29, 2009 2:14:06 AM GMT+0200 Europe;Athens
> Subject: RE: Information needed about security token default ACL

> > Hi Nadezhda:
> LOGIN_SID is as described in section 2.4.2.2 of [MS-DTY] which I am 
> reproducing here:
> 
> LOGON_ID                A logon session. The X and Y values for these 
> SIDs are different
> S-1-5-5-x-y     for each logon session and are recycled when the
>                         operating system is restarted.
> This SID is in addition to the users permanent SID. The permanent SID 
> of user is used for first ACE, System SID 9S-1-5-18) is used for 
> second ACE and LOGIN_ID (SID) is used for third ACE in the default 
> DACL.
> 
> For the conditions to use default DACL, both of the condition should 
> be true, so it is an AND.
> 
> Does this clarify it for you? Please let me know either way.
> 
> Regards,
> Obaid Farooqi
> Sr. Support Escalation Engineer | Microsoft
> 
> 
> -----Original Message-----
> From: Nadezhda Ivanova [mailto:nadezhda.ivanova at postpath.com]
> Sent: Tuesday, July 28, 2009 8:32 AM
> To: Obaid Farooqi
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: RE: Information needed about security token default ACL
> 
> Hi Obaid,
> Thank you for clarifying the Token.DefaultDacl issue, just one more 
> question on that to be sure:
> LOGIN_SID: Generic Read | Generic Execute
> 
> Is LOGIN_SID the SID of the user that established the session?
> 
> About the conditions when default DACL is used for creating the DACL 
> in the security descriptor of the object.
> Both conditions must be met in order to use default DACL? It is 1 & 2, 
> not 1 | 2?
> 
> Regards,
> Nadezhda Ivanova
> 
> -----Original Message-----
> From: Obaid Farooqi [mailto:obaidf at microsoft.com]
> Sent: Tuesday, July 28, 2009 12:05 AM
> To: Nadezhda Ivanova
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: RE: Information needed about security token default ACL
> 
> Hi Nadezhda:
> I have answers to some of your questions. I am providing the answers 
> in a Q&A form as follows. My colleague Edgar is researching your 
> questions on Security Descriptor Creation algorithm and will contact 
> you with the relevant information as appropriate.
> 
> Q. So, am I right to understand that this DACL is used when no 
> nTSecurityDescriptor is provided by the incoming LDAP add request, and 
> there is no defaultSecurityDescriptor for the objectClass.
> 
> A. First, let me clarify that nTSecurityDescriptor is a property of an 
> object. The security descriptor that is provided by the caller is 
> called CreatorDescriptor.
> 
> Looking at the algorithm in section "2.5.2.4 ComputeACL" of [MS-DTYP], 
> following are the conditions when default DACL is used for creating 
> the DACL in the security descriptor of the object:
> 1. Caller has not provided a security descriptor (CreatorDescriptor)
> 2. The parent object does not have inheritable ACE's
> 
> The role of the defaultSecurityDescriptor will be clarified in the 
> answer to the question about security Description Creation algorithm.
> 
> Q. If so, how is the Token.DefaultDACL constructed and when? Is this 
> based on the user's credentials and how?
> 
> A. Default DACL is part of user Access Token. Access Token is created 
> by Local Security authority when user logs on. The Default DACL is a 
> static list of ACE's and is not derived from the credentials. The 
> default DACL contains the following ACCESS_ALLOWED_ACE_TYPE ACE's
>         SYSTEM: ALL Access (Generic all) (S-1-5-18)
>       Owner:  ALL Access (Generic all)
>       LOGIN_SID: Generic Read | Generic Execute
> 
> 
> Please let me know if it answers your question. If it yes, I'll 
> consider this issue resolved.
> 
> Regards,
> Obaid Farooqi
> Sr. Support Escalation Engineer | Microsoft
> 
> -----Original Message-----
> From: Nadezhda Ivanova [mailto:nadezhda.ivanova at postpath.com]
> Sent: Friday, July 17, 2009 7:46 AM
> To: Interoperability Documentation Help
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: Information needed about security token default ACL
> 
> Hi,
> 
> In the course of my work in implementing security descriptor 
> inheritance in Directory service of Samba 4, I came across the 
> following statement in MS-DTYP, 2.5.2
> "The token also contains an ACL, Token.DefaultDACL, that serves as the 
> DACL assigned by default to any objects created by the user. "
> 
> So, am I right to understand that this DACL is used when no 
> nTSecurityDescriptor is provided by the incoming LDAP add request, and 
> there is no defaultSecurityDescriptor for the objectClass.
> If so, how is the Token.DefaultDACL constructed and when? Is this 
> based on the user's credentials and how?
> 
> In addition, I have a question about the security descriptor creation 
> algorithm described in MS-DTYP 2.5.2.3
> One of the arguments of CreateSecurityDescriptor is:
> CreatorDescriptor: Security descriptor for the new object provided by 
> the creator of the object. Caller can pass NULL.
> 
> Am I right in understanding that this is either the 
> nTSecurityDescriptor attribute provided by the user, or, in the lack 
> thereof, the defaultSecurityDescriptor of the object class?
> 
> Best Regards,
> Nadezhda Ivanova

More information about the cifs-protocol mailing list