Win2K08 does not like the order in which we add inheritable ACEs in modules/vfs_acl_common.c:add_acl_inheritable_components

Michael Adam ma at sernet.de
Sat Mar 31 12:36:20 MDT 2012


Jerry,

I think you misread "inheritable" (i.e. the OBJECT_INHERIT or
CONTAINER_INHERIT ace flags) for "inherited" (the INHERITED_ACE flag).

Cheers - Michael

Gerald Carter wrote:
> On 3/30/2012 3:20 PM, Richard Sharpe wrote:
> 
> > From observing what W2K08 does and having tweaked the code, it seems
> > pretty clear that the inheritable entries added should come first.
> > 
> > I still have to test that W2K03 is happy, though, and should probably
> > look at Win7.
> 
> Hey Richard,
> 
> Are you sure about that?
> 
> http://technet.microsoft.com/en-us/library/cc961994.aspx
> 
> "The preferred order of ACEs in a DACL is called the canonical order.
> For Windows 2000, the canonical order is the following:
> 
> * All explicit ACEs are placed in a group before any inherited ACEs.
> 
> * Within the group of explicit ACEs, access-denied ACEs are
>   placed before access-allowed ACEs.
> 
> * Inherited ACEs are placed in the order in which they are
>   inherited. ACEs inherited from the child object's parent come
>   first, then ACEs inherited from the grandparent, and so on
>   up the tree of objects."
> 
> 
> 
> Cheers, Jerry
> 



-- 
Michael Adam <ma at sernet.de>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120331/69038846/attachment.pgp>


More information about the samba-technical mailing list