[cifs-protocol] Question about MS-DTYP Algorithm for Creating a Security Descriptor

Nadezhda Ivanova nivanova at samba.org
Wed Feb 9 07:04:06 MST 2011

I have a question regarding Algorithm for Creating a Security

It is said there that any ACEs provided by the user that contain the
INHERITED_ACE flag are not included in the final SD assigned to the object,
and in the algorithm they are also disregarded. This is indeed the behavior
I observed.
I created a group, providing this security descriptor during creation:
When I read the SD of the object back, it read
It had no DACL, as expected.

However, when I performed the same test with a very small change, creating
the object with this SD - "D:P(A;ID;WP;;;AU)"
The resulted SD is:

So, it turns out that ACEs with INHERITED_ACE flag provided by the user are
not ignored if we break the inheritance at that object. I haven't found in
the docs where this is specified, however. Is this a desired behavior?

I am testing against win2003R2

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20110209/23686f7d/attachment.html>

More information about the cifs-protocol mailing list