Hi Obaid, Yes, I think this issue is clear. Thank you very much for your help!
Regards, Nadezhda Ivanova ----- Original Message ----- > From: Obaid Farooqi <[email protected]> > To: Nadezhda Ivanova <[email protected]> > Cc: [email protected] <[email protected]>, [email protected] > <[email protected]> > Sent: Wednesday, July 29, 2009 2:14:06 AM GMT+0200 Europe;Athens > Subject: RE: Information needed about security token default ACL > > Hi Nadezhda: > LOGIN_SID is as described in section 2.4.2.2 of [MS-DTY] which I am > reproducing here: > > LOGON_ID A logon session. The X and Y values for these > SIDs are different > S-1-5-5-x-y for each logon session and are recycled when the > operating system is restarted. > This SID is in addition to the users permanent SID. The permanent SID > of user is used for first ACE, System SID 9S-1-5-18) is used for > second ACE and LOGIN_ID (SID) is used for third ACE in the default > DACL. > > For the conditions to use default DACL, both of the condition should > be true, so it is an AND. > > Does this clarify it for you? Please let me know either way. > > Regards, > Obaid Farooqi > Sr. Support Escalation Engineer | Microsoft > > > -----Original Message----- > From: Nadezhda Ivanova [mailto:[email protected]] > Sent: Tuesday, July 28, 2009 8:32 AM > To: Obaid Farooqi > Cc: [email protected]; [email protected] > Subject: RE: Information needed about security token default ACL > > Hi Obaid, > Thank you for clarifying the Token.DefaultDacl issue, just one more > question on that to be sure: > LOGIN_SID: Generic Read | Generic Execute > > Is LOGIN_SID the SID of the user that established the session? > > About the conditions when default DACL is used for creating the DACL > in the security descriptor of the object. > Both conditions must be met in order to use default DACL? It is 1 & 2, > not 1 | 2? > > Regards, > Nadezhda Ivanova > > -----Original Message----- > From: Obaid Farooqi [mailto:[email protected]] > Sent: Tuesday, July 28, 2009 12:05 AM > To: Nadezhda Ivanova > Cc: [email protected]; [email protected] > Subject: RE: Information needed about security token default ACL > > Hi Nadezhda: > I have answers to some of your questions. I am providing the answers > in a Q&A form as follows. My colleague Edgar is researching your > questions on Security Descriptor Creation algorithm and will contact > you with the relevant information as appropriate. > > Q. So, am I right to understand that this DACL is used when no > nTSecurityDescriptor is provided by the incoming LDAP add request, and > there is no defaultSecurityDescriptor for the objectClass. > > A. First, let me clarify that nTSecurityDescriptor is a property of an > object. The security descriptor that is provided by the caller is > called CreatorDescriptor. > > Looking at the algorithm in section "2.5.2.4 ComputeACL" of [MS-DTYP], > following are the conditions when default DACL is used for creating > the DACL in the security descriptor of the object: > 1. Caller has not provided a security descriptor (CreatorDescriptor) > 2. The parent object does not have inheritable ACE's > > The role of the defaultSecurityDescriptor will be clarified in the > answer to the question about security Description Creation algorithm. > > Q. If so, how is the Token.DefaultDACL constructed and when? Is this > based on the user's credentials and how? > > A. Default DACL is part of user Access Token. Access Token is created > by Local Security authority when user logs on. The Default DACL is a > static list of ACE's and is not derived from the credentials. The > default DACL contains the following ACCESS_ALLOWED_ACE_TYPE ACE's > SYSTEM: ALL Access (Generic all) (S-1-5-18) > Owner: ALL Access (Generic all) > LOGIN_SID: Generic Read | Generic Execute > > > Please let me know if it answers your question. If it yes, I'll > consider this issue resolved. > > Regards, > Obaid Farooqi > Sr. Support Escalation Engineer | Microsoft > > -----Original Message----- > From: Nadezhda Ivanova [mailto:[email protected]] > Sent: Friday, July 17, 2009 7:46 AM > To: Interoperability Documentation Help > Cc: [email protected]; [email protected] > Subject: Information needed about security token default ACL > > Hi, > > In the course of my work in implementing security descriptor > inheritance in Directory service of Samba 4, I came across the > following statement in MS-DTYP, 2.5.2 > "The token also contains an ACL, Token.DefaultDACL, that serves as the > DACL assigned by default to any objects created by the user. " > > So, am I right to understand that this DACL is used when no > nTSecurityDescriptor is provided by the incoming LDAP add request, and > there is no defaultSecurityDescriptor for the objectClass. > If so, how is the Token.DefaultDACL constructed and when? Is this > based on the user's credentials and how? > > In addition, I have a question about the security descriptor creation > algorithm described in MS-DTYP 2.5.2.3 > One of the arguments of CreateSecurityDescriptor is: > CreatorDescriptor: Security descriptor for the new object provided by > the creator of the object. Caller can pass NULL. > > Am I right in understanding that this is either the > nTSecurityDescriptor attribute provided by the user, or, in the lack > thereof, the defaultSecurityDescriptor of the object class? > > Best Regards, > Nadezhda Ivanova _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
