Win2K08 does not like the order in which we add inheritable ACEs in modules/vfs_acl_common.c:add_acl_inheritable_components
ma at sernet.de
Sat Mar 31 12:36:20 MDT 2012
I think you misread "inheritable" (i.e. the OBJECT_INHERIT or
CONTAINER_INHERIT ace flags) for "inherited" (the INHERITED_ACE flag).
Cheers - Michael
Gerald Carter wrote:
> On 3/30/2012 3:20 PM, Richard Sharpe wrote:
> > From observing what W2K08 does and having tweaked the code, it seems
> > pretty clear that the inheritable entries added should come first.
> > I still have to test that W2K03 is happy, though, and should probably
> > look at Win7.
> Hey Richard,
> Are you sure about that?
> "The preferred order of ACEs in a DACL is called the canonical order.
> For Windows 2000, the canonical order is the following:
> * All explicit ACEs are placed in a group before any inherited ACEs.
> * Within the group of explicit ACEs, access-denied ACEs are
> placed before access-allowed ACEs.
> * Inherited ACEs are placed in the order in which they are
> inherited. ACEs inherited from the child object's parent come
> first, then ACEs inherited from the grandparent, and so on
> up the tree of objects."
> Cheers, Jerry
Michael Adam <ma at sernet.de>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 206 bytes
Desc: not available
More information about the samba-technical