[cifs-protocol] conditional deny aces not working over SMB - TrackingID#2310190040000571
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Wed Oct 25 21:20:44 UTC 2023
I have a pcapng file here:
https://www.samba.org/~dbagnall/windows-smb-file-access-denied-callback.pcapng
I'll also note our tests show the conditional deny ACEs do work in other
settings that relate purely to Kerberos tickets and not to file access.
Douglas
On 26/10/23 09:33, Douglas Bagnall via cifs-protocol wrote:
> hi Obaid,
>
>> How did you set up you test environment?
>
> Well, haphazardly, it must be said. I tried various things, none of
> which made any difference.
>
> This is on a standalone server -- there is no KDC or user claims. The
> conditional ACEs refer to facts that are independent of actual claims,
> or only to resource attribute claims. They work perfectly with allow
> aces, and not at all with deny aces.
>
> I get a 404 at
> https://learn.microsoft.com/en-us/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-
> -- was something clipped off the end?
>
> cheers,
> Douglas
>
> On 26/10/23 06:06, Obaid Farooqi wrote:
>> Hi Douglas:
>> My conversation with product group revealed that the claims based
>> authorization was developed to protect files, SMB or otherwise.
>> How did you set up you test environment?
>> Here is some instructions on setting up a test environment:
>>
>> https://learn.microsoft.com/en-us/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-
>>
>> Regards,
>> Obaid Farooqi
>> Escalation Engineer | Microsoft
>>
>> -----Original Message-----
>> From: Obaid Farooqi
>> Sent: Thursday, October 19, 2023 11:45 AM
>> To: Jeff McCashland (He/him) <jeffm at microsoft.com>; Douglas Bagnall
>> <douglas.bagnall at catalyst.net.nz>; cifs-protocol at lists.samba.org
>> Cc: Microsoft Support <supportmail at microsoft.com>
>> Subject: RE: [EXTERNAL] conditional deny aces not working over SMB -
>> TrackingID#2310190040000571
>>
>> Hi Douglas:
>> I'll look into this and will be in touch as soon as I have an answer.
>>
>> Regards,
>> Obaid Farooqi
>> Escalation Engineer | Microsoft
>>
>> -----Original Message-----
>> From: Jeff McCashland (He/him) <jeffm at microsoft.com>
>> Sent: Wednesday, October 18, 2023 8:45 PM
>> To: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>;
>> cifs-protocol at lists.samba.org
>> Cc: Microsoft Support <supportmail at microsoft.com>
>> Subject: RE: [EXTERNAL] conditional deny aces not working over SMB -
>> TrackingID#2310190040000571
>>
>> [DocHelp to BCC, support on CC, SR ID on Subject]
>>
>> Hi Douglas,
>>
>> Thank you for your email. We have created SR 2310190040000571 to track
>> this issue. One of our engineers will respond soon.
>>
>> Best regards,
>> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
>> Protocol Open Specifications Team
>> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
>> (UTC-08:00) Pacific Time (US and Canada) Local country phone number
>> found here: http://support.microsoft.com/globalenglish | Extension
>> 1138300
>>
>> -----Original Message-----
>> From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
>> Sent: Wednesday, October 18, 2023 3:46 PM
>> To: cifs-protocol at lists.samba.org; Interoperability Documentation Help
>> <dochelp at microsoft.com>
>> Subject: [EXTERNAL] conditional deny aces not working over SMB
>>
>> hi Dochelp,
>>
>> Using SMB2 and Windows 2022, if I set the DACL of a file to
>>
>> D:(XD;;FA;;;WD;(Member_of SID(WD)))(A;;FA;;;WD)
>>
>> I can still access the file (also over SMB2).
>>
>> I didn't expect that, as the first ACE should deny access when the
>> condition "Member_of SID(WD)" is true, which is essentially the same
>> condition as the allow ACE that follows it.
>>
>> I haven't been able to find any cases of conditional deny ACEs working
>> for file access. I see the same behaviour locally on the machine.
>>
>> I'm guessing this is out of scope for [MS-DTYP], which describes the
>> ACE types but does not say where and how they are used. Is the
>> expected meaning of conditional ACEs for file access described anywhere?
>>
>> From what I can see, conditional ACEs in file system is called
>> Dynamic Access Control, and people wrote everything that is known
>> about it in 2012.
>>
>> I believe SMB defers the authorization decisions to the underlying
>> file system, and this uses something other than the user space AuthZ
>> API which is used for handling AD claims (I think). Most of what is
>> written about conditional ACEs refers to that API, or directly to claims.
>>
>> Because file system behaviour is not considered part of a protocol,
>> ACLs on files can be interpreted however the server prefers. Is that
>> roughly the position? On the slight chance it isn't, I would like to
>> know if the behaviour of conditional ACEs over SMB is documented.
>>
>> cheers,
>> Douglas
>>
>
>
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at lists.samba.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol
More information about the cifs-protocol
mailing list