ACL implementation first draft

Stefan (metze) Metzmacher metze at
Tue Apr 7 09:44:22 GMT 2009

Volker Lendecke schrieb:
> On Tue, Apr 07, 2009 at 11:59:12AM +0300, Anatoliy Atanasov wrote:
>> I uploaded our work on ACL implementation at:
>> git://
>> branch: master-acl
>> It is based on WSPP documentation and it follows the algorithms described there directly.
>> The code isn't working, but contains almost all the functionality required for this task.
>> There are a couple of test cases already added, which run against Windows 2003.
>> What we didn't implement yet is: 
>> * rename
>> * delete tree
>> * some special cases of nTSecurityDescriptor
>> In the following days to SambaXP we plan to focus on:
>> * your feedback
>> * adding test cases
>> * testing the code 
> Quick and probably stupid question: Is it really necessary
> to add another argument to se_access_check? I would think
> this routine is core to Windows as well, and I thought the
> way it's written is pretty much carved in stone. Did
> Microsoft really add an AD-specific argument to that core
> routine? For this piece, I would really like to do exactly
> what Microsoft does.

Yes, AD Security Descriptors are different than NTFS ones,
but I think we should have two different public functions and make sure
we check the revision number match with what the caller expects.

E.g. se_access_check() should only grant access if the sd has revision
NT4. And the se_access_check_ad() function should allow both sd
revisions. Both functions could use a static se_access_check_common()


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url :

More information about the samba-technical mailing list