[cifs-protocol] [MS-DTYP] SDDL conditional ACEs: XU and ZA mixed up?

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Fri Aug 25 00:31:01 UTC 2023

On 25/08/23 12:11, Douglas Bagnall via cifs-protocol wrote:
> In Syntax, it says:
>   "XU"  Access Allowed Object Callback  0xB
>   "ZA"  Audit Callback                  0xD
> suggesting that
>   D:(XU;;;12345678-1234-1234-1234-123456789012;;WD;(Member_of SID(WD)))
> should compile to Access Allowed Object Callback ACE. But it doesn't.
> Nor does it compile to an Audit Callback ACE, presumably because it 
> needs to be in a SACL not a DACL.
> These are the strings that *do* work:
>   D:(ZA;;;12345678-1234-1234-1234-123456789012;;WD;(Member_of SID(WD)))
> this compiles to ACE type 11.
>   D:(ZA;;;;;WD;(Member_of SID(WD)))
> this compiles to ACE type 9 (that is, without a GUID, "ZA" devolves to 
> "XA").
>   S:(XU;;;;;WD;(Member_of SID(WD)))
> this compiles to ACE type 13.
> So I am pretty sure [MS-DTYP] got those 2 mixed up.

BTW, I see other sources, like


have it the way I think it should be.


More information about the cifs-protocol mailing list