a few SD questions

Matthias Dieter Wallnöfer mdw at samba.org
Mon Nov 23 07:05:09 MST 2009

Hi Nadya,

(maybe a bit out of topic - but I think it's worth to ask) do you plan 
to remove the "kludge_acl" module? I think with your recent work it's 
nearly obsolete and I personally don't see it useful anymore (to be 
honest I would like to see it dropped soon). I think with some minor 
work and suggestions by abartlet it should be feasible.


Nadezhda Ivanova wrote:
> Hi Mattieu,
> Thanks for the research. I do not understand however why you expect to have an ID (I assume that is what you mean by DI) flag in the DACL ace. The DACL has the P flag, which means break inheritance - we are not supposed to inherit anything from the parent in the DACL. This is also the case in the win2k3 descriptor that you have pasted. In that descriptor you seem to have nothing inherited in the DACL as well.
> The sacl seems to me missing an inherit only flag, will have to debug what is causing this...
> I am also not sure about the differences in the group. Are you sure the policy in win2k3 has been created without providing an owner or a group?
> Regards,
> Nadya
> ----- Original Message -----
>> From: Matthieu Patou<mat at matws.net>
>> To: samba-technical<samba-technical at lists.samba.org>, Nadezhda Ivanova<nadezhda.ivanova at postpath.com>
>> Sent: Monday, November 23, 2009 8:42:09 AM GMT+0200 Europe;Athens
>> Subject: a few SD questions
>>> Hello nadya,
>> I made some tests today with GPO and it seems that things are getting
>> a
>> lot more better
>> Below it's the SD for a newly created policy, it quite OK just we have
>> the duplicate ACL for Domain Admins due to the fact that the creator
>> owner is Domain Admin. Also I think that we should have the AI control
>> flag as the SD is DACL_PROTECTED and that it has some (all?) ACL from
>> the parent SD. Also those inherited ACE should have the flag DI
>> (although it isn't very clear what is the effect of this flag, seems
>> more cosmetic than something else to me).
>> O:S-1-5-21-487418869-183637953-2310109715-512G:
>> S-1-5-21-487418869-183637953-2310109715-513D:P
>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-487418869-183637953-231010971
>>    1-487418869-183637953-2310109715-519)
>> 487418869-183637953-2310109715-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;C
>> O)(A;C
>> (A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-1
>>    1d1-b41d-00a0c968f939;;AU)
>> S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0
>> -11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CII
>> ;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa00304
>> 9e2;WD
>>    )
>> In the same time here is the SD for a newly create gpo in w2k3:
>> They are identical for the DACL part, there is still some difference
>> on
>> the sacl part. Also it's worth noting that the group is different
>> O:S-1-5-21-3208502064-746857408-2662927446-512G:S-1-5-21-3208502064-746
>> 857408-2662927446-512
>> D:PAI
>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
>> 46-512)
>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629274
>> 46-519)
>> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-2662927446
>> -512)
>> (OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
>> S:AI
>> (OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
>> -a285-00aa003049e2;WD)
>> (OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0
>> -a285-00aa003049e2;WD)
>> (OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)
>> Matthieu.

More information about the samba-technical mailing list