[cifs-protocol] [REG:110041557300829] RE: Questions regarding 22.214.171.124 ACE Ordering Rules
nadezhda.ivanova at postpath.com
Mon Apr 19 07:59:44 MDT 2010
Currently I am using the Samba make test framework. I'll find a way to make a script that can be used without Samba and let you know.
Until then, if it helps, this is the ACL I am providing upon group creation, in SDDL:
The group is in an OU where inheritance is broken, that is, it will not inherit anything from the parent.
The sid variable is the sid of a regular user, I suppose any user would do.
----- Original Message -----
> From: Hongwei Sun <hongweis at microsoft.com>
> To: Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
> Cc: cifs-protocol at samba.org <cifs-protocol at samba.org>, MSSolve Case Email <casemail at microsoft.com>
> Sent: Saturday, April 17, 2010 0:03:41 AM (GMT+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius
> Subject: [REG:110041557300829] RE: [cifs-protocol] Questions regarding 126.96.36.199 ACE Ordering Rules
> > Nadya,
> Active Directory is supposed to apply the requirements to any
> security descriptors maintained by a DC, as described in section
> 7.1.3. ACE ordering is one of the requirement. If forest functional
> level is DS_BEHAVIOR_WIN2003 and fDontStandardizeSDs is false, the
> ACEs in the ACLs will be sorted by DC using the ACE ordering rule in
> 188.8.131.52 MS-ADTS. This enforcement should happen either when a new
> object is created or when LDAP modify on security descriptor is done.
> If the ACE reordering cannot be done for some reasons, there will be
> no LDAP error returned and. The order of explicit ACEs supplied by
> the client is preserved.
> You are running test against Windows 2008 and by default
> fDontStandardizeSDs should be zero. So the ACE reordering should
> happen. Could you send me (1)the LDAP command you used to create the
> (2)the SD you provided
> (3)the dump of SD finally set on group object ?
> I will investigate to find the reason why reordering is not happening.
> I am working on the clarification for the section of 184.108.40.206 based on
> two of your questions. I will let you know.
> -----Original Message-----
> From: cifs-protocol-bounces at cifs.org
> [mailto:cifs-protocol-bounces at cifs.org] On Behalf Of Nadezhda Ivanova
> Sent: Thursday, April 15, 2010 8:22 AM
> To: Interoperability Documentation Help
> Cc: cifs-protocol at samba.org
> Subject: [cifs-protocol] Questions regarding 220.127.116.11 ACE Ordering
> I was running some test against a Windows 2008 server, forest
> functional level and domain functional level are both 2008. I created
> a group via LDAP and provided a security descriptor with ACE's
> deliberately scrambled - e.g Deny before Allow, Object Specific before
> Regular. I did not get an LDAP error, the group was successfully
> created, but the SD looked the way I provided it, that is, not
> according to the rules described in this section. Can you explain why
> this happens? What behavior should I expect, is Windows supposed to
> sort them, return an error, or sort them later, or when a recalculate
> hierarchy request is sent?
> In addition:
> What is ACE canonical form?
> In the sentence: "The nest rule is only applied if the previous
> rule(s) give inconclusive results" - what would constitute an
> inconclusive result?
> Best Regards,
> cifs-protocol mailing list
> cifs-protocol at cifs.org
More information about the cifs-protocol