Re: [cifs-protocol] FW: Group Policy questions

Matthieu Patou Tue, 22 Dec 2009 13:56:34 -0800

On 23/12/2009 00:47, Hongwei Sun wrote:

Matthieu,


    Your summary is a good recap of what we have done on this topic.   I have 
one clarification for the point below.

         * All ACE for allowed object are wipped out when "translating" AD ACL 
to File ACL

        When translating a ACL for DS object to a ACL for SYSVOL file object,  
the ACEs with types of  ACCESS_ALLOWED_OBJECT_ACE_TYPE, 
ACCESS_DENIED_OBJECT_ACE_TYPE and SYSTEM_AUDIT_OBJECT_ACE_TYPE are not really 
deleted from the ACL.  Instead, for such a ACE, access mask in AceHeader is 
assigned to zero.

Yeah I meant that when "translating" an AD ACL to a file ACL we do notcare about it, for all those ACCESS_ALLOWED_OBJECT_ACE_TYPE in the AD nocorresponding ACE in created.

    Sebastian will follow up with you on your question regarding documenting 
the logic for ACE OI and CI flags.

Thanks!

Hongwei

-----Original Message-----
From: Matthieu Patou [mailto:mat+informatique.sa...@matws.net]
Sent: Friday, December 18, 2009 4:01 PM
To: Sebastian Canevari
Cc: Hongwei Sun; Interoperability Documentation Help; cifs-proto...@samba.org
Subject: Re: FW: [cifs-protocol] Group Policy questions

Hello Sebastian and Hongwei,

Sorry for being silent on this.

So if I try to sum up we agreed that:

* in order to allow modification of ACL on files sdeffectiverights must
have the flag  DACL_SECURITY_INFORMATION set, and the ACL must have the
SE_DACL_PROTECTED set in the control flags.
* in order to avoid a warning message ACL of Policy object must be
synchronized with ACL in the files following this logic for the translation:


        The specific rights in access mask for Active Directory object
are defined in  5.1.3.2 of MS-ADTS as follows.

            #define RIGHT_DS_CREATE_CHILD                   0x00000001
            #define RIGHT_DS_DELETE_CHILD                   0x00000002
            #define RIGHT_DS_LIST_CONTENTS                  0x00000004
            #define ACTRL_DS_SELF                           0x00000008
            #define RIGHT_DS_READ_PROPERTY                  0x00000010
            #define RIGHT_DS_WRITE_PROPERTY                 0x00000020
            #define RIGHT_DS_DELETE_TREE                    0x00000040
            #define RIGHT_DS_LIST_OBJECT                    0x00000080
            #define RIGHT_DS_CONTROL_ACCESS                 0x00000100

        The specific rights in access mask for a file or directory object
    are defined as
    (http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx )

            #define FILE_READ_DATA            ( 0x0001 )
            #define FILE_LIST_DIRECTORY       ( 0x0001 )
            #define FILE_WRITE_DATA           ( 0x0002 )
            #define FILE_ADD_FILE             ( 0x0002 )
            #define FILE_APPEND_DATA          ( 0x0004 )
            #define FILE_ADD_SUBDIRECTORY     ( 0x0004 )
            #define FILE_CREATE_PIPE_INSTANCE ( 0x0004 )
            #define FILE_READ_EA              ( 0x0008 )
            #define FILE_WRITE_EA             ( 0x0010 )
            #define FILE_EXECUTE              ( 0x0020 )
            #define FILE_TRAVERSE             ( 0x0020 )
            #define FILE_DELETE_CHILD         ( 0x0040 )
            #define FILE_READ_ATTRIBUTES      ( 0x0080 )
            #define FILE_WRITE_ATTRIBUTES     ( 0x0100 )

       The generic access rights that are common to all objects are

            #define DELETE                    (0x00010000L)
            #define READ_CONTROL              (0x00020000L)
            #define WRITE_DAC                 (0x00040000L)
            #define WRITE_OWNER               (0x00080000L)
            #define SYNCHRONIZE               (0x00100000L)
            #define STANDARD_RIGHTS_ALL       (0x001F0000L)


        The following logic is used by GPMC to convert a access mask for
DS object to a access mask for SYSVOL.

         DSAccessMask as Input;
         SYSVOLAccessMask as Output;
          SYSVOLAccessMask  = DSAccessMask;
         SYSVOLAccessMask&=  STANDARD_RIGHTS_ALL ;

         if ((DSAccessMask&    RIGHT_DS_READ_PROPERTY) AND
              (DSAccessMask&    RIGHT_DS_LIST_CONTENTS))
             SYSVOLAccessMask  |= (SYNCHRONIZE | FILE_LIST_DIRECTORY |
                                 FILE_READ_ATTRIBUTES | FILE_READ_EA |
                                 FILE_READ_DATA | FILE_EXECUTE);

         if (DSAccessMask&    RIGHT_DS_WRITE_PROPERTY)
              SYSVOLAccessMask  |= (SYNCHRONIZE | FILE_WRITE_DATA |
                                 FILE_APPEND_DATA | FILE_WRITE_EA |
                                 FILE_WRITE_ATTRIBUTES | FILE_ADD_FILE |
                                 FILE_ADD_SUBDIRECTORY);


          if (DSAccessMask&    RIGHT_DS_CREATE_CHILD)
              SYSVOLAccessMask  |= (FILE_ADD_SUBDIRECTORY |
    FILE_ADD_FILE);


          if (DSAccessMask&    RIGHT_DS_DELETE_CHILD)
              SYSVOLAccessMask  |= FILE_DELETE_CHILD;


* All ACE for allowed object are wipped out when "translating" AD ACL to
File ACL
* For the following ACE OI and CI flags are always set in the resulting
file ACE:

ACCESS_ALLOWED_ACE_TYPE
ACCESS_DENIED_ACE_TYPE
SYSTEM_AUDIT_ACE_TYPE



Am I right ?

For the part that are "hardcoded" like this will it change any time soon
? Also do you plan to document this in any kind of document ? if so
which and when ?



Regards.
Matthieu.


_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

Re: [cifs-protocol] FW: Group Policy questions

Reply via email to