Nadya, Thanks for reporting this issue to Microsoft. We confirmed that the behavior you observed is expected. A technical document issue was filed to clarify the algorithm for creating a security descriptor when the creator security descriptor supplies a protected DACL and ACEs with INHERITED_ACE. The product team is working on the details of updating the relevant algorithm either in MS-DTYP or MS-ADTS, whichever is appropriate. As an informative reference, Chapter 8 of Windows Internals (4th edition, 2004), which provides an overview of the rules for creating security descriptors, can be consulted on this behavior.
Best regards, Edgar From: Edgar Olougouna Sent: Thursday, February 10, 2011 4:25 PM To: '[email protected]'; [email protected] Subject: RE: Question about MS-DTYP 2.5.3.4 Algorithm for Creating a Security Descriptor Nadya, I am researching this and will update you as soon as I have news. Regards, Edgar From: [email protected] [mailto:[email protected]] On Behalf Of Nadezhda Ivanova Sent: Wednesday, February 09, 2011 8:04 AM To: Interoperability Documentation Help; [email protected] Subject: Question about MS-DTYP 2.5.3.4 Algorithm for Creating a Security Descriptor Hi, I have a question regarding 2.5.3.4 Algorithm for Creating a Security Descriptor. It is said there that any ACEs provided by the user that contain the INHERITED_ACE flag are not included in the final SD assigned to the object, and in the algorithm they are also disregarded. This is indeed the behavior I observed. I created a group, providing this security descriptor during creation: "D:(A;ID;WP;;;AU)" When I read the SD of the object back, it read O:DAG:DUD:AIS:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) It had no DACL, as expected. However, when I performed the same test with a very small change, creating the object with this SD - "D:P(A;ID;WP;;;AU)" The resulted SD is: O:DAG:DUD:PAI(A;;WP;;;AU)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) So, it turns out that ACEs with INHERITED_ACE flag provided by the user are not ignored if we break the inheritance at that object. I haven't found in the docs where this is specified, however. Is this a desired behavior? I am testing against win2003R2 Regards, Nadya
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
