[cifs-protocol] MS-SMB2/MS-FSA: setting SD inherited ACL flag "... - TrackingID#2105100040001378

Obaid Farooqi obaidf at microsoft.com
Wed May 12 18:26:22 UTC 2021

Hi Ralph:
What you are describing is documented in MS-DTYP section "2.4.6 SECURITY_DESCRIPTOR", as follows:

DC                                                                     |  Set when the DACL is to be computed through inheritance. When both DC and DI
DACL Computed Inheritance Required      |  are set, the resulting security descriptor sets DI; the DC setting is not preserved.

Please let me know if this does not answer your question.

Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Hung-Chun Yu <HungChun.Yu at microsoft.com> 
Sent: Monday, May 10, 2021 3:14 AM
To: Ralph Boehme <slow at samba.org>
Cc: cifs-protocol at lists.samba.org; Hung-Chun Yu <hunyu at microsoftsupport.com>; Hung-Chun Yu <HungChun.Yu at microsoft.com>
Subject: RE: MS-SMB2/MS-FSA: setting SD inherited ACL flag "... - TrackingID#2105100040001378

Hi Ralph

Thank you for contacting Open Specifications Support. Case 2105100040001378 created to track the issue, and do leave TrackingID#2105100040001378 tag in the Subject line for future reference.
One of our engineers will be contacting you shortly.

Hung-Chun Yu
Escalation Engineer
Microsoft Open Specifications

-----Original Message-----
From: Ralph Boehme <slow at samba.org>
Sent: Monday, May 10, 2021 12:34 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] MS-SMB2/MS-FSA: setting SD inherited ACL flag "DACL Auto-Inherited" (DI)

Hello dochelp,

I've noticed that a wellknown behaviour with regards to ACL control flags semantics seems to be undocumented. At least, I couldn't find any reference that would explain the behaviour of a Windows SMB server.

Fwiw, Samba implements the same behaviour since many many years.

What I'm observing is that when setting an SD on a file or directory, the resulting value of the flag "DACL Auto-Inherited" (DI) depends on the values of both "DACL Auto-Inherited" (DI) and DACL Computed Inheritance Required (DC).

Only if DI and DC are set in the client SD, the resulting SD will have DI.

Following along MS-SMB2 and MS-FSA I can only find the following applicable sections:


   7. The server MUST call into the underlying object store to set
   the security on the object.<377>

   <377> Section Windows performs SMB2 SET_INFO
   SMB2_0_INFO_SECURITY processing via Server Requests Setting
   of Security Information [MS-FSA] section

   MS-FSA Server Requests Setting of Security Information

   "... . The object store MUST set Open.File.SecurityDescriptor
   to InputBuffer."

I'm reading this as "the object store must store the unmodified SD received from the client ".

Can you please check if the observed behaviour is indeed missing from the documentation and should be added?


Ralph Boehme, Samba Team                https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=04%7C01%7Cobaidf%40microsoft.com%7C96f567eda1e0407cb43008d9138ba47e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637562312750567825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pfV7L%2BbelqSvnE2g4xEiMf%2BEo%2B7JciRj1EzbQlOTryU%3D&reserved=0
Samba Developer, SerNet GmbH   https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsernet.de%2Fen%2Fsamba%2F&data=04%7C01%7Cobaidf%40microsoft.com%7C96f567eda1e0407cb43008d9138ba47e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637562312750567825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xIJFtUQ3gQBjHz8W1LH6LUPnTTZVbGsAXaeHIic76Y8%3D&reserved=0
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

More information about the cifs-protocol mailing list