NT_TRANSACT_QUERY_SECURITY_DESC on Shares Sometimes Returns No ACLs

Michael B Allen mba2000 at ioplex.com
Wed Jan 3 04:15:15 GMT 2007


Dear samba-technical,

I have a CIFS protocol question and I know of no better place to ask
than here so hopefully someone can help us.

Apparently an NT_TRANSACT_QUERY_SECURITY_DESC on a share can sometimes
return a security descriptor with no ACLs. This has been observed by
someone using Explorer and the standard Windows ACL editor (actually
never get to the ACL editor because the dialog is greyed out). However,
if My Computer > Manage > Connect to > Shared Folders > Shares is used
to view the ACL editor instead, a NetrShareGetInfo with SHARE_INFO_502
is used which successfully returns the security descriptor with ACLs.

Has anyone seen this behavior before?

Why does this happen? The NT_TRANSACT_QUERY_SECURITY_DESC works on shares
most of the time.

Can someone suggest a robust procedure for retrieving the ACLs of a
share? Is it simply a matter of trying the NetrShareGetInfo/SHARE_INFO_502
if the NT_TRANSACT_QUERY_SECURITY_DESC doesn't return any ACLs?

Mike

On Tue, 02 Jan 2007 22:35:36 -0500
Karl Wright <kwright at metacarta.com> wrote:

> Michael B Allen wrote:
> > 
> > So if you run the GetSecurity example exactly like:
> > 
> >   java -Djcifs.properties=user.prp \
> >       GetSecurity smb://wxp-ie-65-201.qa-ad-65.metacarta.com/dir7share/
> > 
> > you get what?
> > 
> 
> I get nada:
> 
> duck30:~# java -classpath 
> /usr/lib/metacarta/java-environment/jcifs.jar:. 
> -Djcifs.properties=jcifs.prp GetSecurity 
> smb://wxp-ie-65-201.qa-ad-65.metacarta.com/dir7share/
> duck30:~#
> 
> 
> Karl
> 


More information about the samba-technical mailing list