ACL implementation first draft

Nadezhda Ivanova nadezhda.ivanova at
Tue Apr 7 09:57:01 GMT 2009

Hi Metze,
Thank you so much for your feedback!
After reading the MS docs I got the impression that the security descriptors are NOT actually different, only the security masks' flags may mean different things (MS-SECO). I may of course be wrong. I also verified the algorithm of the sec_access_check against the algorithm described in MS-DTYP and it seemed identical except the object-specific checks, which is hadled in a separate function and ignored if no object tree is provided. Of course we can always duplicate the code and use a separate security check for AD, but it seemed against the MS architecture somehow...

Nadezhda Ivanova

-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at] 
Sent: Tuesday, April 07, 2009 12:44 PM
To: 'Volker.Lendecke at SerNet.DE'
Cc: samba-technical at
Subject: Re: ACL implementation first draft

Volker Lendecke schrieb:
> On Tue, Apr 07, 2009 at 11:59:12AM +0300, Anatoliy Atanasov wrote:
>> I uploaded our work on ACL implementation at:
>> git://
>> branch: master-acl
>> It is based on WSPP documentation and it follows the algorithms described there directly.
>> The code isn't working, but contains almost all the functionality required for this task.
>> There are a couple of test cases already added, which run against Windows 2003.
>> What we didn't implement yet is: 
>> * rename
>> * delete tree
>> * some special cases of nTSecurityDescriptor
>> In the following days to SambaXP we plan to focus on:
>> * your feedback
>> * adding test cases
>> * testing the code 
> Quick and probably stupid question: Is it really necessary
> to add another argument to se_access_check? I would think
> this routine is core to Windows as well, and I thought the
> way it's written is pretty much carved in stone. Did
> Microsoft really add an AD-specific argument to that core
> routine? For this piece, I would really like to do exactly
> what Microsoft does.

Yes, AD Security Descriptors are different than NTFS ones,
but I think we should have two different public functions and make sure
we check the revision number match with what the caller expects.

E.g. se_access_check() should only grant access if the sd has revision
NT4. And the se_access_check_ad() function should allow both sd
revisions. Both functions could use a static se_access_check_common()


More information about the samba-technical mailing list