Hi! Thanks, that describes it so far. If my testing shows more irregularities, I'll inform you. Please close the case.
Thanks a lot, Volker On Fri, Jul 01, 2011 at 07:46:41PM +0000, Obaid Farooqi wrote: > Hi Volker: > > We have completed our investigation regarding your inquiry on WRITE_DAC > permission on a share. > The steps through which access check must go before an operation is allowed > is as follows: > > 1. The desired access is checked against the share permissions. If any of the > desired access bits are not set in the share permission, access is denied > regardless of what access rights user has for the file, directory, etc., > consistent with the situation as described in our initial response. > 2. If share permission check results in access allowed, then SMB server makes > the request to the object store which runs its own access checks. > > As part of discretionary access control, Windows always allows a security > descriptor to be optionally provided when creating a file. And, the share > access/file access needed to create a file does not require WRITE_DAC access. > So, as part of creating a file, you can write a custom DACL without > requesting WRITE_DAC. > If you notice in your trace change.cap, frame 11 that the desired access for > NT TRANSACT CREATE does not include WRITE_DAC. As such, it passes the share > access check. > > In case of frame 15 of change.cap, you are specifically requesting WRITE_DAC > access and this bit is not set in share permissions for this particular user. > Therefore, the second access is denied. > > MS-CIFS/MS-SMB/MS-SMB2 will be modified to document the role of share > permissions along the lines of the description above. > > Please let me know if it answers your question. If it does, I'll consider > this issue resolved. > > Regards, > Obaid Farooqi > Escalation Engineer | Microsoft > > Exceeding your expectations is my highest priority. If you would like to > provide feedback on your case you may contact my manager at > allis...@microsoft.com > > > -----Original Message----- > From: Volker Lendecke [mailto:volker.lende...@sernet.de] > Sent: Tuesday, June 28, 2011 11:57 AM > To: Obaid Farooqi > Cc: p...@tridgell.net; cifs-proto...@samba.org; MSSolve Case Email > Subject: Re: [Pfif] [REG:111052652308584] [ttal...@microsoft.com: Reminder -- > share secdesc and smb2 echo?] > > On Tue, Jun 28, 2011 at 04:55:53PM +0000, Obaid Farooqi wrote: > > Hi Volker: > > The information you gave is sufficient. We are still working on it. > > I'll be in touch as soon as I have an answer. > > Any expected timeframe? I have customers sitting on my back. > We might have to implement a short-term hack if this takes weeks or months. > > Thanks, > > Volker > > -- > SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen > phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: > Dr. Johannes Loxen > > Microsoft is committed to protecting your privacy. Please read the Microsoft > Privacy Statement for more information.The above is an email for a support > case from Microsoft Corp.REPLY ALL TO THIS MESSAGE or INCLUDE > casem...@microsoft.com IN YOUR REPLY if you want your response added to the > case automatically. For technical assistance, please include the Support > Engineer on the TO: line. Thank you. -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen _______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
