Win2K08 does not like the order in which we add inheritable ACEs in modules/vfs_acl_common.c:add_acl_inheritable_components
Gerald Carter
jerry at plainjoe.org
Sat Mar 31 12:28:11 MDT 2012
On 3/30/2012 3:20 PM, Richard Sharpe wrote:
> From observing what W2K08 does and having tweaked the code, it seems
> pretty clear that the inheritable entries added should come first.
>
> I still have to test that W2K03 is happy, though, and should probably
> look at Win7.
Hey Richard,
Are you sure about that?
http://technet.microsoft.com/en-us/library/cc961994.aspx
"The preferred order of ACEs in a DACL is called the canonical order.
For Windows 2000, the canonical order is the following:
* All explicit ACEs are placed in a group before any inherited ACEs.
* Within the group of explicit ACEs, access-denied ACEs are
placed before access-allowed ACEs.
* Inherited ACEs are placed in the order in which they are
inherited. ACEs inherited from the child object's parent come
first, then ACEs inherited from the grandparent, and so on
up the tree of objects."
Cheers, Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120331/04cf2b2e/attachment.pgp>
More information about the samba-technical
mailing list