ACL inheritance mess with win2k clients...

Eric Lee Steadle esteadle at
Wed Oct 2 20:03:00 GMT 2002

>Ok - so how does the W2K client "know" it's talking to a W2K or NT
>server ? Any idea what criteria a W2K client uses to check ?

Well, I'm pretty sure it (the client) checks for one or more w2k specific
flags: SE_DACL_AUTO_INHERITED, or perhaps SE_DACL_PROTECTED. Jim said that the
client sets the SE_DACL_AUTO_INHERITED flag, (which is not honored by Samba,
nor would it be by NT4) then it queries for those flags again. I'd bet a
quarter that it (the client) is trying to determine what ACL inheritence
mechanism is being used by the server.

Brown says (p. 227)

"If you want to determine whether a particular ACL is participating in a
Windows 2000 style automatic inheritence synchronization ccheme, look for the
following bits in the control word of the security descriptor by calling

A security descriptor for securable objects looks like this:
typedef struct _SECURITY_DESCRIPTOR {
  BYTE  Revision;
  BYTE  Sbz1;
  PSID Owner;
  PSID Group;
  PACL Sacl;
  PACL Dacl;

The SECURITY_DESCRIPTOR_CONTROL member is a bitfield (16 bits) whose
parameters qualify the meaning of the fields in the security descriptor.

One of these bits is SE_DACL_AUTO_INHERITED.

According to MSDN documentation for SECURITY_DESCRIPTOR_CONTROL:

"SE_DACL_AUTO_INHERITED (Windows 2000 or later): Indicates a security
descriptor in which the DACL is set up to support automatic propagation of
inheritable ACEs to existing child objects.
For Windows 2000 ACLs that support auto inheritance, this bit is always set.
It is used to distinguish these ACLs from Windows NT 4.0 ACLs that do not
support auto-inheritance. Protected servers can call the
ConvertToAutoInheritPrivateObjectSecurity function to convert a security
descriptor and set this flag.

This bit is not set in security descriptors for Windows NT versions 4.0 and
earlier, which do not support automatic propagation of inheritable ACEs."

So MS servers keep track of it in their security descriptor control structure,
which I imagine is stored in the file system security database on disk.

All evidence points to SE_DACL_AUTO_INHERITED.
So if it's not working when set appropriately, then I'd say there's another
problem. Maybe with the inheritence mechanism itself? Or mabye both


>-----Original Message-----
>From: jra at [mailto:jra at]
>Sent: Wednesday, October 02, 2002 3:23 PM
>To: Eric Lee Steadle
>Cc: Jim McDonough; samba-technical at
>Subject: Re: ACL inheritance mess with win2k clients...
>On Wed, Oct 02, 2002 at 03:05:52PM -0400, Eric Lee Steadle wrote:
>> Yep. Exactly what I've observed and exactly as documented by MS.
>> >He tries to set it to an NT server, also...but
>> >somehow he realizes that it doesn't get set and changes all the acls to
>> >match, rather than relying on inheritance.
>> Because the client knows that NT4 servers don't do acl inheritence
>> for him, but 2k servers do. This behavior is documented pretty
>well in Keith
>> Brown's book.
>Ok - so how does the W2K client "know" it's talking to a W2K or NT
>server ? Any idea what criteria a W2K client uses to check ?

More information about the samba-technical mailing list