[cifs-protocol] [EXTERNAL] [MS-DTYP] conditional ACE SDDL sid arrays - TrackingID#2212170040000207

Kristian Smith Kristian.Smith at microsoft.com
Thu Dec 29 20:12:32 UTC 2022

Hi Douglas,

I'll be looking into this issue for you. I'll reach out when I have more information.


Kristian Smith
Support Escalation Engineer
Windows Open Spec Protocols
Office: (425) 421-4442
kristian.smith at microsoft.com<mailto:kristian.smith at microsoft.com>

From: Jeff McCashland (He/him) <jeffm at microsoft.com>
Sent: Friday, December 16, 2022 8:17 PM
To: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>; cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
Cc: Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] [MS-DTYP] conditional ACE SDDL sid arrays - TrackingID#2212170040000207

[DocHelp to BCC, support on CC, SR ID on Subject]

Hi Douglas,

Thank you for the question. We have created SR 2212170040000207 to track this issue. One of our engineers will respond soon to assist.

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C01%7CKristian.Smith%40microsoft.com%7Cbe1d030b363846bddf0608dadfe596a5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638068474415736250%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yqLDjLspa7ij01PgRGElgxnlZXy%2FJmAHok%2FTdv%2BQxWo%3D&reserved=0 | Extension 1138300

-----Original Message-----
From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Sent: Friday, December 16, 2022 6:02 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: [EXTERNAL] [MS-DTYP] conditional ACE SDDL sid arrays

hi Dochelp,

I am working on conditional ACES for Samba. The documentation is mostly very clear, but I have one question prompted by example 3 in, which deals with the encoding of this SDDL snippet:

> (@User.clearanceLevel>=@Resource.requiredClearance) ||
> (Member_of{SID(BA)})

where the 'Member_of{SID(BA)}' becomes a composite token containing the single SID, followed by the Member_of operator. So far this makes sense.

However, earlier, in ('Relational Operator Tokens') we have

> The operand type MUST be either a SID literal, or a composite, each of
> whose elements is a SID literal.

which is also clear. But the ABNF in ('Syntax') look like

> memberof-op = ( "Member_of" / ... ) wspace sid-array

and sid-array is

> sid-array = literal-SID [wspace] / "{" [wspace] literal-SID [wspace] *( "," [wspace] literal-SID [wspace]) "}"

so *syntactically*, this (a literal-SID without the curly brackets)

     (Member_of SID(BA))

would also refer to a sid-array. Thus here's the question: would this last form be compiled as a composite value (as implied by "sid-array") or would it be a solitary SID?

And if doesn't result in a solitary SID, how would such a SID be represented in SDDL, or is that not possible?

The wider question is whether, for valid conditonal aces, an ACE -> SDDL -> ACE cycle should always end up at the same point as the original.

As a side-note, the example omits the wspace in memberof-op. I suspect the ABNF is inexact, but it might be fiddly to fix because I don't know if '[wspace]'
would work for the form without {}.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20221229/5b191a88/attachment.htm>

More information about the cifs-protocol mailing list