About ACL

Matthieu Patou mat at matws.net
Sun Oct 11 13:23:26 MDT 2009


Hello Nadya,

I made a few tests today on GPO and it's back online, good job.
Now that's it's working and that I think I found a the root cause of 
rights problems with GPO (sDrightEffective attribute see bug 6801), I am 
starting to be more picky about the differences between w2kx and s4.

For some reason it seems that s4 is doing inheritance on ACLs when w2kx 
(w2k3 for sure) is not doing it. It' clearly visible in GPMC because 
there is a delegation for Pre  Windows 2000 group and Domain Admins 
group when there is none in w2k3.

A deeper analysis on SDDL show it more clearly.

For the moment it does no harm but I think it means that we are now 
calculating all the ACL in the correct way and maybe one day it'll bite 
us ...

I attached to this email sddl for s4 and w2k3, I normalized them so that 
it's quite easy to see the difference in xxdiff (but any graphical diff 
would do).

Matthieu
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: s4_acl
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091011/b78234df/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: w2k3_acl
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091011/b78234df/attachment-0001.ksh>


More information about the samba-technical mailing list