On 23/12/2009 00:47, Hongwei Sun wrote:
Matthieu,
Your summary is a good recap of what we have done on this topic. I have
one clarification for the point below.
* All ACE for allowed object are wipped out when "translating" AD ACL
to File ACL
When translating a ACL for DS object to a ACL for SYSVOL file object,
the ACEs with types of ACCESS_ALLOWED_OBJECT_ACE_TYPE,
ACCESS_DENIED_OBJECT_ACE_TYPE and SYSTEM_AUDIT_OBJECT_ACE_TYPE are not really
deleted from the ACL. Instead, for such a ACE, access mask in AceHeader is
assigned to zero.
Yeah I meant that when "translating" an AD ACL to a file ACL we do not
care about it, for all those ACCESS_ALLOWED_OBJECT_ACE_TYPE in the AD no
corresponding ACE in created.
Sebastian will follow up with you on your question regarding documenting
the logic for ACE OI and CI flags.
Thanks!
Hongwei
-----Original Message-----
From: Matthieu Patou [mailto:mat+informatique.sa...@matws.net]
Sent: Friday, December 18, 2009 4:01 PM
To: Sebastian Canevari
Cc: Hongwei Sun; Interoperability Documentation Help; cifs-proto...@samba.org
Subject: Re: FW: [cifs-protocol] Group Policy questions
Hello Sebastian and Hongwei,
Sorry for being silent on this.
So if I try to sum up we agreed that:
* in order to allow modification of ACL on files sdeffectiverights must
have the flag DACL_SECURITY_INFORMATION set, and the ACL must have the
SE_DACL_PROTECTED set in the control flags.
* in order to avoid a warning message ACL of Policy object must be
synchronized with ACL in the files following this logic for the translation:
The specific rights in access mask for Active Directory object
are defined in 5.1.3.2 of MS-ADTS as follows.
#define RIGHT_DS_CREATE_CHILD 0x00000001
#define RIGHT_DS_DELETE_CHILD 0x00000002
#define RIGHT_DS_LIST_CONTENTS 0x00000004
#define ACTRL_DS_SELF 0x00000008
#define RIGHT_DS_READ_PROPERTY 0x00000010
#define RIGHT_DS_WRITE_PROPERTY 0x00000020
#define RIGHT_DS_DELETE_TREE 0x00000040
#define RIGHT_DS_LIST_OBJECT 0x00000080
#define RIGHT_DS_CONTROL_ACCESS 0x00000100
The specific rights in access mask for a file or directory object
are defined as
(http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx )
#define FILE_READ_DATA ( 0x0001 )
#define FILE_LIST_DIRECTORY ( 0x0001 )
#define FILE_WRITE_DATA ( 0x0002 )
#define FILE_ADD_FILE ( 0x0002 )
#define FILE_APPEND_DATA ( 0x0004 )
#define FILE_ADD_SUBDIRECTORY ( 0x0004 )
#define FILE_CREATE_PIPE_INSTANCE ( 0x0004 )
#define FILE_READ_EA ( 0x0008 )
#define FILE_WRITE_EA ( 0x0010 )
#define FILE_EXECUTE ( 0x0020 )
#define FILE_TRAVERSE ( 0x0020 )
#define FILE_DELETE_CHILD ( 0x0040 )
#define FILE_READ_ATTRIBUTES ( 0x0080 )
#define FILE_WRITE_ATTRIBUTES ( 0x0100 )
The generic access rights that are common to all objects are
#define DELETE (0x00010000L)
#define READ_CONTROL (0x00020000L)
#define WRITE_DAC (0x00040000L)
#define WRITE_OWNER (0x00080000L)
#define SYNCHRONIZE (0x00100000L)
#define STANDARD_RIGHTS_ALL (0x001F0000L)
The following logic is used by GPMC to convert a access mask for
DS object to a access mask for SYSVOL.
DSAccessMask as Input;
SYSVOLAccessMask as Output;
SYSVOLAccessMask = DSAccessMask;
SYSVOLAccessMask&= STANDARD_RIGHTS_ALL ;
if ((DSAccessMask& RIGHT_DS_READ_PROPERTY) AND
(DSAccessMask& RIGHT_DS_LIST_CONTENTS))
SYSVOLAccessMask |= (SYNCHRONIZE | FILE_LIST_DIRECTORY |
FILE_READ_ATTRIBUTES | FILE_READ_EA |
FILE_READ_DATA | FILE_EXECUTE);
if (DSAccessMask& RIGHT_DS_WRITE_PROPERTY)
SYSVOLAccessMask |= (SYNCHRONIZE | FILE_WRITE_DATA |
FILE_APPEND_DATA | FILE_WRITE_EA |
FILE_WRITE_ATTRIBUTES | FILE_ADD_FILE |
FILE_ADD_SUBDIRECTORY);
if (DSAccessMask& RIGHT_DS_CREATE_CHILD)
SYSVOLAccessMask |= (FILE_ADD_SUBDIRECTORY |
FILE_ADD_FILE);
if (DSAccessMask& RIGHT_DS_DELETE_CHILD)
SYSVOLAccessMask |= FILE_DELETE_CHILD;
* All ACE for allowed object are wipped out when "translating" AD ACL to
File ACL
* For the following ACE OI and CI flags are always set in the resulting
file ACE:
ACCESS_ALLOWED_ACE_TYPE
ACCESS_DENIED_ACE_TYPE
SYSTEM_AUDIT_ACE_TYPE
Am I right ?
For the part that are "hardcoded" like this will it change any time soon
? Also do you plan to document this in any kind of document ? if so
which and when ?
Regards.
Matthieu.
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol