[cifs-protocol] MS-SMB2/MS-FSA: setting SD inherited ACL flag "DACL Auto-Inherited" (DI)

Ralph Boehme slow at samba.org
Mon May 10 07:33:51 UTC 2021

Hello dochelp,

I've noticed that a wellknown behaviour with regards to ACL control 
flags semantics seems to be undocumented. At least, I couldn't find any 
reference that would explain the behaviour of a Windows SMB server.

Fwiw, Samba implements the same behaviour since many many years.

What I'm observing is that when setting an SD on a file or directory, 
the resulting value of the flag "DACL Auto-Inherited" (DI) depends on 
the values of both "DACL Auto-Inherited" (DI) and DACL Computed
Inheritance Required (DC).

Only if DI and DC are set in the client SD, the resulting SD will have DI.

Following along MS-SMB2 and MS-FSA I can only find the following 
applicable sections:


   7. The server MUST call into the underlying object store to set
   the security on the object.<377>

   <377> Section Windows performs SMB2 SET_INFO
   SMB2_0_INFO_SECURITY processing via Server Requests Setting
   of Security Information [MS-FSA] section

   MS-FSA Server Requests Setting of Security Information

   "... . The object store MUST set Open.File.SecurityDescriptor
   to InputBuffer."

I'm reading this as "the object store must store the unmodified SD 
received from the client ".

Can you please check if the observed behaviour is indeed missing from 
the documentation and should be added?


Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20210510/e522d780/OpenPGP_signature.sig>

More information about the cifs-protocol mailing list