Windows/NFSv4 ACL interoperability
tridge at samba.org
tridge at samba.org
Thu Mar 16 06:22:58 GMT 2006
Michael,
> Because security descriptors are not NDR encoded in various RPCs
> I strongly suspect that they are not interpreted at all when simply
> getting or setting them. They are just binary blobs. You get out
> what you put in.
no, they are interpreted. The mapping of the generic bits to the
object specific bits happens on store as you can tell if you store
with generic bits and then fetch it back. See for example the RAW-ACLS
test in the Samba4 smbtorture, which sets an ACE on a file with
SEC_GENERIC_READ | SEC_STD_ALL and checks that when you read it back
it is given as SEC_RIGHTS_FILE_READ | SEC_STD_ALL.
Also, the "not NDR encoded" is perhaps a bit misleading. Windows has
functions that map an ACL between "self relative" format and unpacked
structure format. The "self relative" format is a linearisation that
is based loosely on NDR. In Samba4 we use our IDL/NDR framework to do
this linearisation, with a small tweak to NDR to allow for the self
relative method of handling pointers. I suspect in windows this is
hand-coded, but it is so close to NDR that it doesn't really matter.
Cheers, Tridge
More information about the samba-technical
mailing list