Win2K08 does not like the order in which we add inheritable ACEs in modules/vfs_acl_common.c:add_acl_inheritable_components
Michael Adam
ma at sernet.de
Sat Mar 31 12:36:20 MDT 2012
Jerry,
I think you misread "inheritable" (i.e. the OBJECT_INHERIT or
CONTAINER_INHERIT ace flags) for "inherited" (the INHERITED_ACE flag).
Cheers - Michael
Gerald Carter wrote:
> On 3/30/2012 3:20 PM, Richard Sharpe wrote:
>
> > From observing what W2K08 does and having tweaked the code, it seems
> > pretty clear that the inheritable entries added should come first.
> >
> > I still have to test that W2K03 is happy, though, and should probably
> > look at Win7.
>
> Hey Richard,
>
> Are you sure about that?
>
> http://technet.microsoft.com/en-us/library/cc961994.aspx
>
> "The preferred order of ACEs in a DACL is called the canonical order.
> For Windows 2000, the canonical order is the following:
>
> * All explicit ACEs are placed in a group before any inherited ACEs.
>
> * Within the group of explicit ACEs, access-denied ACEs are
> placed before access-allowed ACEs.
>
> * Inherited ACEs are placed in the order in which they are
> inherited. ACEs inherited from the child object's parent come
> first, then ACEs inherited from the grandparent, and so on
> up the tree of objects."
>
>
>
> Cheers, Jerry
>
--
Michael Adam <ma at sernet.de>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120331/69038846/attachment.pgp>
More information about the samba-technical
mailing list