[PATCH] Fix bug #9932 - Currently the maximum number of aces in an SD is limited to 1000, but Microsoft supports around 1800

Richard Sharpe realrichardsharpe at gmail.com
Sat Jun 8 16:08:17 MDT 2013

On Fri, Jun 7, 2013 at 4:42 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Fri, 2013-06-07 at 19:40 -0400, Scott Lovenberg wrote:
>> On Jun 7, 2013, at 7:33 PM, Jeremy Allison <jra at samba.org> wrote:
>> > Richard, please review and push if you're ok with it.
>> >
>> > Jeremy.
>> > <0001-Fix-bug-9932-Currently-the-maximum-number-of-aces-in.patch>
>> I had a bit of a side bar with Richard about this a while ago. IIRC, I thought it depends on the size of the ACEs in the ACL?  That is, the aggregate size of the ACL. :/
> The limit in the IDL was added as an attempt to avoid allocating
> infinite amounts of memory attempting to parse structures that are not
> plausible.  Changing it a little shouldn't hurt, but I agree this might
> not be how windows enforces this.

The evidence we have is that the clients enforce this. If you build an
ACL that will result in an SD larger than 64kiB it refuses to even let
the SD hit the wire.

>From that perspective, 1,800 is not quite correct because we have seen
ACLs with 1818 succeed. That, of course, relates to the fact that
S-1-5-21-x-y-z-rid is larger than S-1-1-0 or S-1-5-32-544 etc.

Richard Sharpe

More information about the samba-technical mailing list