Nadya, Active Directory is supposed to apply the requirements to any security descriptors maintained by a DC, as described in section 7.1.3. ACE ordering is one of the requirement. If forest functional level is DS_BEHAVIOR_WIN2003 and fDontStandardizeSDs is false, the ACEs in the ACLs will be sorted by DC using the ACE ordering rule in 7.1.3.1 MS-ADTS. This enforcement should happen either when a new object is created or when LDAP modify on security descriptor is done. If the ACE reordering cannot be done for some reasons, there will be no LDAP error returned and. The order of explicit ACEs supplied by the client is preserved.
You are running test against Windows 2008 and by default fDontStandardizeSDs should be zero. So the ACE reordering should happen. Could you send me (1)the LDAP command you used to create the group (2)the SD you provided (3)the dump of SD finally set on group object ? I will investigate to find the reason why reordering is not happening. I am working on the clarification for the section of 7.1.3.1 based on two of your questions. I will let you know. Thanks! Hongwei -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Nadezhda Ivanova Sent: Thursday, April 15, 2010 8:22 AM To: Interoperability Documentation Help Cc: [email protected] Subject: [cifs-protocol] Questions regarding 7.1.3.1 ACE Ordering Rules Hello, I was running some test against a Windows 2008 server, forest functional level and domain functional level are both 2008. I created a group via LDAP and provided a security descriptor with ACE's deliberately scrambled - e.g Deny before Allow, Object Specific before Regular. I did not get an LDAP error, the group was successfully created, but the SD looked the way I provided it, that is, not according to the rules described in this section. Can you explain why this happens? What behavior should I expect, is Windows supposed to sort them, return an error, or sort them later, or when a recalculate hierarchy request is sent? In addition: What is ACE canonical form? In the sentence: "The nest rule is only applied if the previous rule(s) give inconclusive results" - what would constitute an inconclusive result? Best Regards, Nadya _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
