[cifs-protocol] [REG:111020960597122] Question about MS-DTYP 2.5.3.4 Algorithm for Creating a Security Descriptor
Bryan Burgin
bburgin at microsoft.com
Wed Feb 9 09:55:27 MST 2011
[dochelp to bcc]
[adding case info & casemail]
Hi, Nadya,
Thank you for your questions. An engineer from the Protocols team will contact you soon.
Bryan
From: didrash at gmail.com [mailto:didrash at gmail.com] On Behalf Of Nadezhda Ivanova
Sent: Wednesday, February 09, 2011 6:04 AM
To: Interoperability Documentation Help; cifs-protocol at samba.org
Subject: Question about MS-DTYP 2.5.3.4 Algorithm for Creating a Security Descriptor
Hi,
I have a question regarding 2.5.3.4 Algorithm for Creating a Security Descriptor.
It is said there that any ACEs provided by the user that contain the INHERITED_ACE flag are not included in the final SD assigned to the object, and in the algorithm they are also disregarded. This is indeed the behavior I observed.
I created a group, providing this security descriptor during creation:
"D:(A;ID;WP;;;AU)"
When I read the SD of the object back, it read O:DAG:DUD:AIS:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
It had no DACL, as expected.
However, when I performed the same test with a very small change, creating the object with this SD - "D:P(A;ID;WP;;;AU)"
The resulted SD is: O:DAG:DUD:PAI(A;;WP;;;AU)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
So, it turns out that ACEs with INHERITED_ACE flag provided by the user are not ignored if we break the inheritance at that object. I haven't found in the docs where this is specified, however. Is this a desired behavior?
I am testing against win2003R2
Regards,
Nadya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20110209/952c0279/attachment.html>
More information about the cifs-protocol
mailing list