Win2K08 does not like the order in which we add inheritable ACEs in modules/vfs_acl_common.c:add_acl_inheritable_components

Michael Adam ma at
Sat Mar 31 12:36:20 MDT 2012


I think you misread "inheritable" (i.e. the OBJECT_INHERIT or
CONTAINER_INHERIT ace flags) for "inherited" (the INHERITED_ACE flag).

Cheers - Michael

Gerald Carter wrote:
> On 3/30/2012 3:20 PM, Richard Sharpe wrote:
> > From observing what W2K08 does and having tweaked the code, it seems
> > pretty clear that the inheritable entries added should come first.
> > 
> > I still have to test that W2K03 is happy, though, and should probably
> > look at Win7.
> Hey Richard,
> Are you sure about that?
> "The preferred order of ACEs in a DACL is called the canonical order.
> For Windows 2000, the canonical order is the following:
> * All explicit ACEs are placed in a group before any inherited ACEs.
> * Within the group of explicit ACEs, access-denied ACEs are
>   placed before access-allowed ACEs.
> * Inherited ACEs are placed in the order in which they are
>   inherited. ACEs inherited from the child object's parent come
>   first, then ACEs inherited from the grandparent, and so on
>   up the tree of objects."
> Cheers, Jerry

Michael Adam <ma at>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list