[cifs-protocol] conditional deny aces not working over SMB

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Wed Oct 18 22:46:09 UTC 2023

hi Dochelp,

Using SMB2 and Windows 2022, if I set the DACL of a file to

   D:(XD;;FA;;;WD;(Member_of SID(WD)))(A;;FA;;;WD)

I can still access the file (also over SMB2).

I didn't expect that, as the first ACE should deny access when the condition 
"Member_of SID(WD)" is true, which is essentially the same condition as the 
allow ACE that follows it.

I haven't been able to find any cases of conditional deny ACEs working for file 
access. I see the same behaviour locally on the machine.

I'm guessing this is out of scope for [MS-DTYP], which describes the ACE types 
but does not say where and how they are used. Is the expected meaning of 
conditional ACEs for file access described anywhere?

 From what I can see, conditional ACEs in file system is called Dynamic Access 
Control, and people wrote everything that is known about it in 2012.

I believe SMB defers the authorization decisions to the underlying file system, 
and this uses something other than the user space AuthZ API which is used for 
handling AD claims (I think). Most of what is written about conditional ACEs 
refers to that API, or directly to claims.

Because file system behaviour is not considered part of a protocol, ACLs on 
files can be interpreted however the server prefers. Is that roughly the 
position? On the slight chance it isn't, I would like to know if the behaviour 
of conditional ACEs over SMB is documented.


More information about the cifs-protocol mailing list