Hi Nadezhda:
LOGIN_SID is as described in section 2.4.2.2 of [MS-DTY] which I am reproducing
here:
LOGON_ID A logon session. The X and Y values for these SIDs are
different
S-1-5-5-x-y for each logon session and are recycled when the
operating system is restarted.
This SID is in addition to the users permanent SID. The permanent SID of user
is used for first ACE, System SID 9S-1-5-18) is used for second ACE and
LOGIN_ID (SID) is used for third ACE in the default DACL.
For the conditions to use default DACL, both of the condition should be true,
so it is an AND.
Does this clarify it for you? Please let me know either way.
Regards,
Obaid Farooqi
Sr. Support Escalation Engineer | Microsoft
-----Original Message-----
From: Nadezhda Ivanova [mailto:[email protected]]
Sent: Tuesday, July 28, 2009 8:32 AM
To: Obaid Farooqi
Cc: [email protected]; [email protected]
Subject: RE: Information needed about security token default ACL
Hi Obaid,
Thank you for clarifying the Token.DefaultDacl issue, just one more question on
that to be sure:
LOGIN_SID: Generic Read | Generic Execute
Is LOGIN_SID the SID of the user that established the session?
About the conditions when default DACL is used for creating the DACL in the
security descriptor of the object.
Both conditions must be met in order to use default DACL? It is 1 & 2, not 1 |
2?
Regards,
Nadezhda Ivanova
-----Original Message-----
From: Obaid Farooqi [mailto:[email protected]]
Sent: Tuesday, July 28, 2009 12:05 AM
To: Nadezhda Ivanova
Cc: [email protected]; [email protected]
Subject: RE: Information needed about security token default ACL
Hi Nadezhda:
I have answers to some of your questions. I am providing the answers in a Q&A
form as follows. My colleague Edgar is researching your questions on Security
Descriptor Creation algorithm and will contact you with the relevant
information as appropriate.
Q. So, am I right to understand that this DACL is used when no
nTSecurityDescriptor is provided by the incoming LDAP add request, and there is
no defaultSecurityDescriptor for the objectClass.
A. First, let me clarify that nTSecurityDescriptor is a property of an object.
The security descriptor that is provided by the caller is called
CreatorDescriptor.
Looking at the algorithm in section "2.5.2.4 ComputeACL" of [MS-DTYP],
following are the conditions when default DACL is used for creating the DACL in
the security descriptor of the object:
1. Caller has not provided a security descriptor (CreatorDescriptor)
2. The parent object does not have inheritable ACE's
The role of the defaultSecurityDescriptor will be clarified in the answer to
the question about security Description Creation algorithm.
Q. If so, how is the Token.DefaultDACL constructed and when? Is this based on
the user's credentials and how?
A. Default DACL is part of user Access Token. Access Token is created by Local
Security authority when user logs on. The Default DACL is a static list of
ACE's and is not derived from the credentials. The default DACL contains the
following ACCESS_ALLOWED_ACE_TYPE ACE's
SYSTEM: ALL Access (Generic all) (S-1-5-18)
Owner: ALL Access (Generic all)
LOGIN_SID: Generic Read | Generic Execute
Please let me know if it answers your question. If it yes, I'll consider this
issue resolved.
Regards,
Obaid Farooqi
Sr. Support Escalation Engineer | Microsoft
-----Original Message-----
From: Nadezhda Ivanova [mailto:[email protected]]
Sent: Friday, July 17, 2009 7:46 AM
To: Interoperability Documentation Help
Cc: [email protected]; [email protected]
Subject: Information needed about security token default ACL
Hi,
In the course of my work in implementing security descriptor inheritance in
Directory service of Samba 4, I came across the following statement in MS-DTYP,
2.5.2
"The token also contains an ACL, Token.DefaultDACL, that serves as the DACL
assigned by default to any objects created by the user. "
So, am I right to understand that this DACL is used when no
nTSecurityDescriptor is provided by the incoming LDAP add request, and there is
no defaultSecurityDescriptor for the objectClass.
If so, how is the Token.DefaultDACL constructed and when? Is this based on the
user's credentials and how?
In addition, I have a question about the security descriptor creation algorithm
described in MS-DTYP 2.5.2.3
One of the arguments of CreateSecurityDescriptor is:
CreatorDescriptor: Security descriptor for the new object provided by the
creator of the object. Caller can pass NULL.
Am I right in understanding that this is either the nTSecurityDescriptor
attribute provided by the user, or, in the lack thereof, the
defaultSecurityDescriptor of the object class?
Best Regards,
Nadezhda Ivanova
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
