[cifs-protocol] [REG:110041557300829] RE: Questions regarding ACE Ordering Rules

Hongwei Sun hongweis at microsoft.com
Fri Apr 16 15:09:27 MDT 2010


  Active Directory is supposed to apply the requirements to  any security descriptors maintained by a DC, as described in section 7.1.3.  ACE ordering is one of the requirement.  If forest functional level is DS_BEHAVIOR_WIN2003 and  fDontStandardizeSDs is false,  the ACEs in the ACLs will be sorted by DC using the ACE ordering rule in MS-ADTS.    This enforcement should happen either when a new object is created or when LDAP modify on security descriptor is done.  If the ACE reordering cannot be done for some reasons, there will be no LDAP error returned and.  The order of explicit ACEs supplied by the client is preserved. 

 You are running test against Windows 2008 and  by default fDontStandardizeSDs  should be zero.  So the ACE reordering should happen.  Could you send me (1)the LDAP command you used to create the group 
(2)the SD you provided   
(3)the dump of  SD finally set on group object ?   
I will investigate to find the reason why reordering is not happening. 

I am working on the clarification for the section of based on two of your questions.  I will let you know.



-----Original Message-----
From: cifs-protocol-bounces at cifs.org [mailto:cifs-protocol-bounces at cifs.org] On Behalf Of Nadezhda Ivanova
Sent: Thursday, April 15, 2010 8:22 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: [cifs-protocol] Questions regarding ACE Ordering Rules

I was running some test against a Windows 2008 server, forest functional level and domain functional level are both 2008.  I created a group via LDAP and provided a security descriptor with ACE's deliberately scrambled - e.g Deny before Allow, Object Specific before Regular. I did not get an LDAP error, the group was successfully created, but the SD looked the way I provided it, that is, not according to the rules described in this section. Can you explain why this happens? What behavior should I expect, is Windows supposed to sort them, return an error, or sort them later, or when a recalculate hierarchy request is sent?

In addition:
What is ACE canonical form?
In the sentence:  "The nest rule is only applied if the previous rule(s) give inconclusive results" - what would constitute an inconclusive result? 

Best Regards,
cifs-protocol mailing list
cifs-protocol at cifs.org

More information about the cifs-protocol mailing list