Re: [cifs-protocol] FW: Group Policy questions
Matthieu, Your summary is a good recap of what we have done on this topic. I have one clarification for the point below. * All ACE for allowed object are wipped out when translating AD ACL to File ACL When translating a ACL for DS object to a ACL for SYSVOL file object, the ACEs with types of ACCESS_ALLOWED_OBJECT_ACE_TYPE, ACCESS_DENIED_OBJECT_ACE_TYPE and SYSTEM_AUDIT_OBJECT_ACE_TYPE are not really deleted from the ACL. Instead, for such a ACE, access mask in AceHeader is assigned to zero. Sebastian will follow up with you on your question regarding documenting the logic for ACE OI and CI flags. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:mat+informatique.sa...@matws.net] Sent: Friday, December 18, 2009 4:01 PM To: Sebastian Canevari Cc: Hongwei Sun; Interoperability Documentation Help; cifs-proto...@samba.org Subject: Re: FW: [cifs-protocol] Group Policy questions Hello Sebastian and Hongwei, Sorry for being silent on this. So if I try to sum up we agreed that: * in order to allow modification of ACL on files sdeffectiverights must have the flag DACL_SECURITY_INFORMATION set, and the ACL must have the SE_DACL_PROTECTED set in the control flags. * in order to avoid a warning message ACL of Policy object must be synchronized with ACL in the files following this logic for the translation: The specific rights in access mask for Active Directory object are defined in 5.1.3.2 of MS-ADTS as follows. #define RIGHT_DS_CREATE_CHILD 0x0001 #define RIGHT_DS_DELETE_CHILD 0x0002 #define RIGHT_DS_LIST_CONTENTS 0x0004 #define ACTRL_DS_SELF 0x0008 #define RIGHT_DS_READ_PROPERTY 0x0010 #define RIGHT_DS_WRITE_PROPERTY 0x0020 #define RIGHT_DS_DELETE_TREE0x0040 #define RIGHT_DS_LIST_OBJECT0x0080 #define RIGHT_DS_CONTROL_ACCESS 0x0100 The specific rights in access mask for a file or directory object are defined as (http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx ) #define FILE_READ_DATA( 0x0001 ) #define FILE_LIST_DIRECTORY ( 0x0001 ) #define FILE_WRITE_DATA ( 0x0002 ) #define FILE_ADD_FILE ( 0x0002 ) #define FILE_APPEND_DATA ( 0x0004 ) #define FILE_ADD_SUBDIRECTORY ( 0x0004 ) #define FILE_CREATE_PIPE_INSTANCE ( 0x0004 ) #define FILE_READ_EA ( 0x0008 ) #define FILE_WRITE_EA ( 0x0010 ) #define FILE_EXECUTE ( 0x0020 ) #define FILE_TRAVERSE ( 0x0020 ) #define FILE_DELETE_CHILD ( 0x0040 ) #define FILE_READ_ATTRIBUTES ( 0x0080 ) #define FILE_WRITE_ATTRIBUTES ( 0x0100 ) The generic access rights that are common to all objects are #define DELETE(0x0001L) #define READ_CONTROL (0x0002L) #define WRITE_DAC (0x0004L) #define WRITE_OWNER (0x0008L) #define SYNCHRONIZE (0x0010L) #define STANDARD_RIGHTS_ALL (0x001FL) The following logic is used by GPMC to convert a access mask for DS object to a access mask for SYSVOL. DSAccessMask as Input; SYSVOLAccessMask as Output; SYSVOLAccessMask = DSAccessMask; SYSVOLAccessMask= STANDARD_RIGHTS_ALL ; if ((DSAccessMask RIGHT_DS_READ_PROPERTY) AND (DSAccessMask RIGHT_DS_LIST_CONTENTS)) SYSVOLAccessMask |= (SYNCHRONIZE | FILE_LIST_DIRECTORY | FILE_READ_ATTRIBUTES | FILE_READ_EA | FILE_READ_DATA | FILE_EXECUTE); if (DSAccessMask RIGHT_DS_WRITE_PROPERTY) SYSVOLAccessMask |= (SYNCHRONIZE | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_WRITE_EA | FILE_WRITE_ATTRIBUTES | FILE_ADD_FILE | FILE_ADD_SUBDIRECTORY); if (DSAccessMask RIGHT_DS_CREATE_CHILD) SYSVOLAccessMask |= (FILE_ADD_SUBDIRECTORY | FILE_ADD_FILE); if (DSAccessMask RIGHT_DS_DELETE_CHILD) SYSVOLAccessMask |= FILE_DELETE_CHILD; * All ACE for allowed object are wipped out when translating AD ACL to File ACL * For the following ACE OI and CI flags are always set in the resulting file ACE: ACCESS_ALLOWED_ACE_TYPE ACCESS_DENIED_ACE_TYPE SYSTEM_AUDIT_ACE_TYPE Am I right ? For the part that are hardcoded like this will it change any time soon ? Also do you plan to document this
Re: [cifs-protocol] FW: Group Policy questions
Hi Matthieu, With regards of the OI and CI flags, we always set those flags on if the ACE type is any of the following 3 types: ACCESS_ALLOWED_ACE_TYPE ACCESS_DENIED_ACE_TYPE SYSTEM_AUDIT_ACE_TYPE This is hardcoded. I'll provide you with the answer to your other question soon. Thanks and regards, Sebastian Sebastian Canevari Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 Las Colinas - LC2 Tel: +1 469 775 7849 e-mail: seba...@microsoft.com -Original Message- From: Matthieu Patou [mailto:mat+informatique.sa...@matws.net] Sent: Friday, December 04, 2009 3:32 PM To: Sebastian Canevari Cc: Hongwei Sun; cifs-proto...@samba.org; p...@tridgell.net Subject: Re: FW: [cifs-protocol] Group Policy questions On 04/12/2009 23:00, Sebastian Canevari wrote: Hi Matthieu, Just a clarification to ask you for: We are discussing with Hongwei and the PGs if it is that you are seeing GPMC expect the inheritance to happen OR if it is that you are dumping the ACLs and seeing the flags always. What I see if when I dump the SD of the files modified by GPMC after it realize that there was a mismatch between the SD in AD and the SD in the Policy folder. Note: it was with XP sp2 as a client. Matthieu. Please clarify because we were under the impression that we had to look into the client tool, but if the latter is what your question means, then we need to look into AD. Thanks and regards, Sebastian Canevari Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 Las Colinas - LC2 Tel: +1 469 775 7849 e-mail: seba...@microsoft.com -Original Message- From: Sebastian Canevari Sent: Thursday, December 03, 2009 4:18 PM To: 'Matthieu Patou'; cifs-proto...@samba.org; Interoperability Documentation Help; p...@tridgell.net Subject: RE: FW: [cifs-protocol] Group Policy questions Hi Matthieu, We are still actively working on this and I do have the PG engaged. Please accept my apologies if we are delaying a little longer than expected. I guess we can say that the holidays affected the timing a little without trying to use that as an excuse. I'll keep you posted as soon as I have news. Thanks and regards, Sebastian Sebastian Canevari Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 Las Colinas - LC2 Tel: +1 469 775 7849 e-mail: seba...@microsoft.com -Original Message- From: Matthieu Patou [mailto:mat+informatique.sa...@matws.net] Sent: Thursday, December 03, 2009 4:05 PM To: Sebastian Canevari; cifs-proto...@samba.org; Interoperability Documentation Help; p...@tridgell.net Subject: Re: FW: [cifs-protocol] Group Policy questions Hello sebastian And last but not least question, it seems that GPMC whats to have OI and CI flags on every ACL entries is it due to the presence of the SDDL_AUTO_INHERITEDcontrol in the SDDL ? Any news on this ? More exactly my question is why this flag appear on each ACE ? Also do you plan to document this in a WSPP document ? Regards. Matthieu. On 13/11/2009 02:40, Sebastian Canevari wrote: Hi Matthieu, I'll be working with you on these questions. I will keep you updated. Thanks! Sebastian Sebastian Canevari Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 Las Colinas - LC2 Tel: +1 469 775 7849 e-mail: seba...@microsoft.com -Original Message- From: Hongwei Sun Sent: Wednesday, November 11, 2009 9:35 PM To: Matthieu Patou Cc: cifs-proto...@samba.org; p...@tridgell.net; Sebastian Canevari Subject: RE: FW: [cifs-protocol] Group Policy questions Matthieu, I double checked the logic and your assumption is right. The return value for SYSVOL access mask should be assigned to the input value first. For your other questions, since I am out of office , Sebastian will work on them and let you know. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:mat+informatique.sa...@matws.net] Sent: Wednesday, November 11, 2009 12:22 AM To: Hongwei Sun Cc: cifs-proto...@samba.org; p...@tridgell.net Subject: Re: FW: [cifs-protocol] Group Policy questions Hello Hongwei, I've been working on the translation function, I am getting quite similar ACL right now but I have some remarks and questions. The pseudo code contains this: DSAccessMask as Input; SYSVOLAccessMask as Output; SYSVOLAccessMask= STANDARD_RIGHTS_ALL ; I have impression that it should be DSAccessMask as Input; SYSVOLAccessMask as Output; SYSVOLAccessMask = DSAccessMask; SYSVOLAccessMask= STANDARD_RIGHTS_ALL ; Maybe the third line is implied in this kind of pseudo code. Also it seems to me that GPMC is discarding any ACL of type ACCESS_ALLOWED_OBJECT_ACE (OA) and also everything related to SID SID_BUILTIN_PREW2K (RU). And last but not least question, it seems
Re: [cifs-protocol] FW: Group Policy questions
On 04/12/2009 23:00, Sebastian Canevari wrote: Hi Matthieu, Just a clarification to ask you for: We are discussing with Hongwei and the PGs if it is that you are seeing GPMC expect the inheritance to happen OR if it is that you are dumping the ACLs and seeing the flags always. What I see if when I dump the SD of the files modified by GPMC after it realize that there was a mismatch between the SD in AD and the SD in the Policy folder. Note: it was with XP sp2 as a client. Matthieu. Please clarify because we were under the impression that we had to look into the client tool, but if the latter is what your question means, then we need to look into AD. Thanks and regards, Sebastian Canevari Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 Las Colinas - LC2 Tel: +1 469 775 7849 e-mail: seba...@microsoft.com -Original Message- From: Sebastian Canevari Sent: Thursday, December 03, 2009 4:18 PM To: 'Matthieu Patou'; cifs-proto...@samba.org; Interoperability Documentation Help; p...@tridgell.net Subject: RE: FW: [cifs-protocol] Group Policy questions Hi Matthieu, We are still actively working on this and I do have the PG engaged. Please accept my apologies if we are delaying a little longer than expected. I guess we can say that the holidays affected the timing a little without trying to use that as an excuse. I'll keep you posted as soon as I have news. Thanks and regards, Sebastian Sebastian Canevari Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 Las Colinas - LC2 Tel: +1 469 775 7849 e-mail: seba...@microsoft.com -Original Message- From: Matthieu Patou [mailto:mat+informatique.sa...@matws.net] Sent: Thursday, December 03, 2009 4:05 PM To: Sebastian Canevari; cifs-proto...@samba.org; Interoperability Documentation Help; p...@tridgell.net Subject: Re: FW: [cifs-protocol] Group Policy questions Hello sebastian And last but not least question, it seems that GPMC whats to have OI and CI flags on every ACL entries is it due to the presence of the SDDL_AUTO_INHERITEDcontrol in the SDDL ? Any news on this ? More exactly my question is why this flag appear on each ACE ? Also do you plan to document this in a WSPP document ? Regards. Matthieu. On 13/11/2009 02:40, Sebastian Canevari wrote: Hi Matthieu, I'll be working with you on these questions. I will keep you updated. Thanks! Sebastian Sebastian Canevari Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 Las Colinas - LC2 Tel: +1 469 775 7849 e-mail: seba...@microsoft.com -Original Message- From: Hongwei Sun Sent: Wednesday, November 11, 2009 9:35 PM To: Matthieu Patou Cc: cifs-proto...@samba.org; p...@tridgell.net; Sebastian Canevari Subject: RE: FW: [cifs-protocol] Group Policy questions Matthieu, I double checked the logic and your assumption is right. The return value for SYSVOL access mask should be assigned to the input value first. For your other questions, since I am out of office , Sebastian will work on them and let you know. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:mat+informatique.sa...@matws.net] Sent: Wednesday, November 11, 2009 12:22 AM To: Hongwei Sun Cc: cifs-proto...@samba.org; p...@tridgell.net Subject: Re: FW: [cifs-protocol] Group Policy questions Hello Hongwei, I've been working on the translation function, I am getting quite similar ACL right now but I have some remarks and questions. The pseudo code contains this: DSAccessMask as Input; SYSVOLAccessMask as Output; SYSVOLAccessMask= STANDARD_RIGHTS_ALL ; I have impression that it should be DSAccessMask as Input; SYSVOLAccessMask as Output; SYSVOLAccessMask = DSAccessMask; SYSVOLAccessMask= STANDARD_RIGHTS_ALL ; Maybe the third line is implied in this kind of pseudo code. Also it seems to me that GPMC is discarding any ACL of type ACCESS_ALLOWED_OBJECT_ACE (OA) and also everything related to SID SID_BUILTIN_PREW2K (RU). And last but not least question, it seems that GPMC whats to have OI and CI flags on every ACL entries is it due to the presence of the SDDL_AUTO_INHERITED control in the SDDL ? Thanks for your answers. Matthieu. On 29/10/2009 05:31, Hongwei Sun wrote: Matthieu, I keep receiving the message from our e-mail server about the undeliverable e-mail to one of the address(cifs-protocol@cifs.org), which is in your original e-mail. In order to make sure you receive the email, I just forward it again. If you already received it, please let me know if it resolved your issue. Thanks! Hongwei -Original Message- From: Hongwei Sun Sent: Monday, October 26, 2009 6:14 PM To: Matthieu Patou; cifs-protocol@cifs.org; p...@tridgell.net Subject: RE: [cifs-protocol] Group Policy questions Matthieu, Matthieu, The attached GPMC log shows the problem
Re: [cifs-protocol] FW: Group Policy questions
Hello sebastian And last but not least question, it seems that GPMC whats to have OI and CI flags on every ACL entries is it due to the presence of the SDDL_AUTO_INHERITEDcontrol in the SDDL ? Any news on this ? More exactly my question is why this flag appear on each ACE ? Also do you plan to document this in a WSPP document ? Regards. Matthieu. On 13/11/2009 02:40, Sebastian Canevari wrote: Hi Matthieu, I'll be working with you on these questions. I will keep you updated. Thanks! Sebastian Sebastian Canevari Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 Las Colinas - LC2 Tel: +1 469 775 7849 e-mail: seba...@microsoft.com -Original Message- From: Hongwei Sun Sent: Wednesday, November 11, 2009 9:35 PM To: Matthieu Patou Cc: cifs-proto...@samba.org; p...@tridgell.net; Sebastian Canevari Subject: RE: FW: [cifs-protocol] Group Policy questions Matthieu, I double checked the logic and your assumption is right. The return value for SYSVOL access mask should be assigned to the input value first. For your other questions, since I am out of office , Sebastian will work on them and let you know. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:mat+informatique.sa...@matws.net] Sent: Wednesday, November 11, 2009 12:22 AM To: Hongwei Sun Cc: cifs-proto...@samba.org; p...@tridgell.net Subject: Re: FW: [cifs-protocol] Group Policy questions Hello Hongwei, I've been working on the translation function, I am getting quite similar ACL right now but I have some remarks and questions. The pseudo code contains this: DSAccessMask as Input; SYSVOLAccessMask as Output; SYSVOLAccessMask= STANDARD_RIGHTS_ALL ; I have impression that it should be DSAccessMask as Input; SYSVOLAccessMask as Output; SYSVOLAccessMask = DSAccessMask; SYSVOLAccessMask= STANDARD_RIGHTS_ALL ; Maybe the third line is implied in this kind of pseudo code. Also it seems to me that GPMC is discarding any ACL of type ACCESS_ALLOWED_OBJECT_ACE (OA) and also everything related to SID SID_BUILTIN_PREW2K (RU). And last but not least question, it seems that GPMC whats to have OI and CI flags on every ACL entries is it due to the presence of the SDDL_AUTO_INHERITED control in the SDDL ? Thanks for your answers. Matthieu. On 29/10/2009 05:31, Hongwei Sun wrote: Matthieu, I keep receiving the message from our e-mail server about the undeliverable e-mail to one of the address(cifs-protocol@cifs.org), which is in your original e-mail. In order to make sure you receive the email, I just forward it again. If you already received it, please let me know if it resolved your issue. Thanks! Hongwei -Original Message- From: Hongwei Sun Sent: Monday, October 26, 2009 6:14 PM To: Matthieu Patou; cifs-protocol@cifs.org; p...@tridgell.net Subject: RE: [cifs-protocol] Group Policy questions Matthieu, Matthieu, The attached GPMC log shows the problem of inconsistency between ACLs of the policy object and that of SYSVOL folders. The log shows that [6bc.678] 10/25/2009 00:55:47:359 [VERBOSE] CGPMGPO::IsAclConsistent():Checking Aces for SID S-1-5-21-2212615479-2695158682-2101375467-512 [6bc.678] 10/25/2009 00:55:47:359 [VERBOSE] GetSysvolPermissionsFromDSPermissions: DS access mask is 0xf00ff .. [6bc.678] 10/25/2009 00:55:47:359 [VERBOSE] CGPMGPO::IsAclConsistent(): ACLs not consistent for SIDS-1-5-21-2212615479-2695158682-2101375467-512. Mask: Expected 0x1f01ff, Found 0xf00ff The access mask for the ace of Active Directory policy object is 0xf00ff. When the GPMO converts the access mask to a corresponding file system access mask, it expects 0x1f01ff. For SYSVOL, you set the access mask to 0xf00ff. They don't match and that is why inconsistency is declared. In the SYSVOL access mask you set, you missed 0x10(SYNCHRONIZE) and 0x100(FILE_WRITE_ATTRIBUTES). Since AD objects and SYSVOL file/folder objects are different objects, their specific rights in access mask are not one-to-one matched. The following are the definitions of bits for both objects. The specific rights in access mask for Active Directory object are defined in 5.1.3.2 of MS-ADTS as follows. #define RIGHT_DS_CREATE_CHILD 0x0001 #define RIGHT_DS_DELETE_CHILD 0x0002 #define RIGHT_DS_LIST_CONTENTS 0x0004 #define ACTRL_DS_SELF 0x0008 #define RIGHT_DS_READ_PROPERTY 0x0010 #define RIGHT_DS_WRITE_PROPERTY 0x0020 #define RIGHT_DS_DELETE_TREE0x0040 #define RIGHT_DS_LIST_OBJECT0x0080 #define RIGHT_DS_CONTROL_ACCESS 0x0100 The specific rights in access mask for a file or directory object are defined as
Re: [cifs-protocol] FW: Group Policy questions
Hi Matthieu, We are still actively working on this and I do have the PG engaged. Please accept my apologies if we are delaying a little longer than expected. I guess we can say that the holidays affected the timing a little without trying to use that as an excuse. I'll keep you posted as soon as I have news. Thanks and regards, Sebastian Sebastian Canevari Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 Las Colinas - LC2 Tel: +1 469 775 7849 e-mail: seba...@microsoft.com -Original Message- From: Matthieu Patou [mailto:mat+informatique.sa...@matws.net] Sent: Thursday, December 03, 2009 4:05 PM To: Sebastian Canevari; cifs-proto...@samba.org; Interoperability Documentation Help; p...@tridgell.net Subject: Re: FW: [cifs-protocol] Group Policy questions Hello sebastian And last but not least question, it seems that GPMC whats to have OI and CI flags on every ACL entries is it due to the presence of the SDDL_AUTO_INHERITEDcontrol in the SDDL ? Any news on this ? More exactly my question is why this flag appear on each ACE ? Also do you plan to document this in a WSPP document ? Regards. Matthieu. On 13/11/2009 02:40, Sebastian Canevari wrote: Hi Matthieu, I'll be working with you on these questions. I will keep you updated. Thanks! Sebastian Sebastian Canevari Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 Las Colinas - LC2 Tel: +1 469 775 7849 e-mail: seba...@microsoft.com -Original Message- From: Hongwei Sun Sent: Wednesday, November 11, 2009 9:35 PM To: Matthieu Patou Cc: cifs-proto...@samba.org; p...@tridgell.net; Sebastian Canevari Subject: RE: FW: [cifs-protocol] Group Policy questions Matthieu, I double checked the logic and your assumption is right. The return value for SYSVOL access mask should be assigned to the input value first. For your other questions, since I am out of office , Sebastian will work on them and let you know. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:mat+informatique.sa...@matws.net] Sent: Wednesday, November 11, 2009 12:22 AM To: Hongwei Sun Cc: cifs-proto...@samba.org; p...@tridgell.net Subject: Re: FW: [cifs-protocol] Group Policy questions Hello Hongwei, I've been working on the translation function, I am getting quite similar ACL right now but I have some remarks and questions. The pseudo code contains this: DSAccessMask as Input; SYSVOLAccessMask as Output; SYSVOLAccessMask= STANDARD_RIGHTS_ALL ; I have impression that it should be DSAccessMask as Input; SYSVOLAccessMask as Output; SYSVOLAccessMask = DSAccessMask; SYSVOLAccessMask= STANDARD_RIGHTS_ALL ; Maybe the third line is implied in this kind of pseudo code. Also it seems to me that GPMC is discarding any ACL of type ACCESS_ALLOWED_OBJECT_ACE (OA) and also everything related to SID SID_BUILTIN_PREW2K (RU). And last but not least question, it seems that GPMC whats to have OI and CI flags on every ACL entries is it due to the presence of the SDDL_AUTO_INHERITED control in the SDDL ? Thanks for your answers. Matthieu. On 29/10/2009 05:31, Hongwei Sun wrote: Matthieu, I keep receiving the message from our e-mail server about the undeliverable e-mail to one of the address(cifs-protocol@cifs.org), which is in your original e-mail. In order to make sure you receive the email, I just forward it again. If you already received it, please let me know if it resolved your issue. Thanks! Hongwei -Original Message- From: Hongwei Sun Sent: Monday, October 26, 2009 6:14 PM To: Matthieu Patou; cifs-protocol@cifs.org; p...@tridgell.net Subject: RE: [cifs-protocol] Group Policy questions Matthieu, Matthieu, The attached GPMC log shows the problem of inconsistency between ACLs of the policy object and that of SYSVOL folders. The log shows that [6bc.678] 10/25/2009 00:55:47:359 [VERBOSE] CGPMGPO::IsAclConsistent():Checking Aces for SID S-1-5-21-2212615479-2695158682-2101375467-512 [6bc.678] 10/25/2009 00:55:47:359 [VERBOSE] GetSysvolPermissionsFromDSPermissions: DS access mask is 0xf00ff .. [6bc.678] 10/25/2009 00:55:47:359 [VERBOSE] CGPMGPO::IsAclConsistent(): ACLs not consistent for SIDS-1-5-21-2212615479-2695158682-2101375467-512. Mask: Expected 0x1f01ff, Found 0xf00ff The access mask for the ace of Active Directory policy object is 0xf00ff. When the GPMO converts the access mask to a corresponding file system access mask, it expects 0x1f01ff. For SYSVOL, you set the access mask to 0xf00ff. They don't match and that is why inconsistency is declared. In the SYSVOL access mask you set, you missed 0x10(SYNCHRONIZE) and 0x100(FILE_WRITE_ATTRIBUTES). Since AD objects and SYSVOL file/folder objects are different objects, their specific rights in access mask are not one-to-one
Re: [cifs-protocol] FW: Group Policy questions
Hi Matthieu, I'll be working with you on these questions. I will keep you updated. Thanks! Sebastian Sebastian Canevari Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 Las Colinas - LC2 Tel: +1 469 775 7849 e-mail: seba...@microsoft.com -Original Message- From: Hongwei Sun Sent: Wednesday, November 11, 2009 9:35 PM To: Matthieu Patou Cc: cifs-proto...@samba.org; p...@tridgell.net; Sebastian Canevari Subject: RE: FW: [cifs-protocol] Group Policy questions Matthieu, I double checked the logic and your assumption is right. The return value for SYSVOL access mask should be assigned to the input value first. For your other questions, since I am out of office , Sebastian will work on them and let you know. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:mat+informatique.sa...@matws.net] Sent: Wednesday, November 11, 2009 12:22 AM To: Hongwei Sun Cc: cifs-proto...@samba.org; p...@tridgell.net Subject: Re: FW: [cifs-protocol] Group Policy questions Hello Hongwei, I've been working on the translation function, I am getting quite similar ACL right now but I have some remarks and questions. The pseudo code contains this: DSAccessMask as Input; SYSVOLAccessMask as Output; SYSVOLAccessMask= STANDARD_RIGHTS_ALL ; I have impression that it should be DSAccessMask as Input; SYSVOLAccessMask as Output; SYSVOLAccessMask = DSAccessMask; SYSVOLAccessMask= STANDARD_RIGHTS_ALL ; Maybe the third line is implied in this kind of pseudo code. Also it seems to me that GPMC is discarding any ACL of type ACCESS_ALLOWED_OBJECT_ACE (OA) and also everything related to SID SID_BUILTIN_PREW2K (RU). And last but not least question, it seems that GPMC whats to have OI and CI flags on every ACL entries is it due to the presence of the SDDL_AUTO_INHERITED control in the SDDL ? Thanks for your answers. Matthieu. On 29/10/2009 05:31, Hongwei Sun wrote: Matthieu, I keep receiving the message from our e-mail server about the undeliverable e-mail to one of the address(cifs-protocol@cifs.org), which is in your original e-mail. In order to make sure you receive the email, I just forward it again. If you already received it, please let me know if it resolved your issue. Thanks! Hongwei -Original Message- From: Hongwei Sun Sent: Monday, October 26, 2009 6:14 PM To: Matthieu Patou; cifs-protocol@cifs.org; p...@tridgell.net Subject: RE: [cifs-protocol] Group Policy questions Matthieu, Matthieu, The attached GPMC log shows the problem of inconsistency between ACLs of the policy object and that of SYSVOL folders. The log shows that [6bc.678] 10/25/2009 00:55:47:359 [VERBOSE] CGPMGPO::IsAclConsistent():Checking Aces for SID S-1-5-21-2212615479-2695158682-2101375467-512 [6bc.678] 10/25/2009 00:55:47:359 [VERBOSE] GetSysvolPermissionsFromDSPermissions: DS access mask is 0xf00ff .. [6bc.678] 10/25/2009 00:55:47:359 [VERBOSE] CGPMGPO::IsAclConsistent(): ACLs not consistent for SIDS-1-5-21-2212615479-2695158682-2101375467-512. Mask: Expected 0x1f01ff, Found 0xf00ff The access mask for the ace of Active Directory policy object is 0xf00ff. When the GPMO converts the access mask to a corresponding file system access mask, it expects 0x1f01ff. For SYSVOL, you set the access mask to 0xf00ff. They don't match and that is why inconsistency is declared. In the SYSVOL access mask you set, you missed 0x10(SYNCHRONIZE) and 0x100(FILE_WRITE_ATTRIBUTES). Since AD objects and SYSVOL file/folder objects are different objects, their specific rights in access mask are not one-to-one matched. The following are the definitions of bits for both objects. The specific rights in access mask for Active Directory object are defined in 5.1.3.2 of MS-ADTS as follows. #define RIGHT_DS_CREATE_CHILD 0x0001 #define RIGHT_DS_DELETE_CHILD 0x0002 #define RIGHT_DS_LIST_CONTENTS 0x0004 #define ACTRL_DS_SELF 0x0008 #define RIGHT_DS_READ_PROPERTY 0x0010 #define RIGHT_DS_WRITE_PROPERTY 0x0020 #define RIGHT_DS_DELETE_TREE0x0040 #define RIGHT_DS_LIST_OBJECT0x0080 #define RIGHT_DS_CONTROL_ACCESS 0x0100 The specific rights in access mask for a file or directory object are defined as (http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx ) #define FILE_READ_DATA( 0x0001 ) #define FILE_LIST_DIRECTORY ( 0x0001 ) #define FILE_WRITE_DATA ( 0x0002 ) #define FILE_ADD_FILE ( 0x0002 ) #define FILE_APPEND_DATA ( 0x0004 ) #define FILE_ADD_SUBDIRECTORY ( 0x0004 ) #define
Re: [cifs-protocol] FW: Group Policy questions
Hi Hongwei, I received your answer and it looks very interesting. I have to correct the implementation so that ACL on folder are correctly set. I hope to be able to do it next week. Once it's done I'll tell you about the results. Regards. Matthieu. On 10/29/2009 05:31 AM, Hongwei Sun wrote: Matthieu, I keep receiving the message from our e-mail server about the undeliverable e-mail to one of the address(cifs-protocol@cifs.org), which is in your original e-mail. In order to make sure you receive the email, I just forward it again. If you already received it, please let me know if it resolved your issue. Thanks! Hongwei -Original Message- From: Hongwei Sun Sent: Monday, October 26, 2009 6:14 PM To: Matthieu Patou; cifs-protocol@cifs.org; p...@tridgell.net Subject: RE: [cifs-protocol] Group Policy questions Matthieu, Matthieu, The attached GPMC log shows the problem of inconsistency between ACLs of the policy object and that of SYSVOL folders. The log shows that [6bc.678] 10/25/2009 00:55:47:359 [VERBOSE] CGPMGPO::IsAclConsistent():Checking Aces for SID S-1-5-21-2212615479-2695158682-2101375467-512 [6bc.678] 10/25/2009 00:55:47:359 [VERBOSE] GetSysvolPermissionsFromDSPermissions: DS access mask is 0xf00ff .. [6bc.678] 10/25/2009 00:55:47:359 [VERBOSE] CGPMGPO::IsAclConsistent(): ACLs not consistent for SIDS-1-5-21-2212615479-2695158682-2101375467-512. Mask: Expected 0x1f01ff, Found 0xf00ff The access mask for the ace of Active Directory policy object is 0xf00ff. When the GPMO converts the access mask to a corresponding file system access mask, it expects 0x1f01ff. For SYSVOL, you set the access mask to 0xf00ff. They don't match and that is why inconsistency is declared. In the SYSVOL access mask you set, you missed 0x10(SYNCHRONIZE) and 0x100(FILE_WRITE_ATTRIBUTES). Since AD objects and SYSVOL file/folder objects are different objects, their specific rights in access mask are not one-to-one matched. The following are the definitions of bits for both objects. The specific rights in access mask for Active Directory object are defined in 5.1.3.2 of MS-ADTS as follows. #define RIGHT_DS_CREATE_CHILD 0x0001 #define RIGHT_DS_DELETE_CHILD 0x0002 #define RIGHT_DS_LIST_CONTENTS 0x0004 #define ACTRL_DS_SELF 0x0008 #define RIGHT_DS_READ_PROPERTY 0x0010 #define RIGHT_DS_WRITE_PROPERTY 0x0020 #define RIGHT_DS_DELETE_TREE0x0040 #define RIGHT_DS_LIST_OBJECT0x0080 #define RIGHT_DS_CONTROL_ACCESS 0x0100 The specific rights in access mask for a file or directory object are defined as (http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx ) #define FILE_READ_DATA( 0x0001 ) #define FILE_LIST_DIRECTORY ( 0x0001 ) #define FILE_WRITE_DATA ( 0x0002 ) #define FILE_ADD_FILE ( 0x0002 ) #define FILE_APPEND_DATA ( 0x0004 ) #define FILE_ADD_SUBDIRECTORY ( 0x0004 ) #define FILE_CREATE_PIPE_INSTANCE ( 0x0004 ) #define FILE_READ_EA ( 0x0008 ) #define FILE_WRITE_EA ( 0x0010 ) #define FILE_EXECUTE ( 0x0020 ) #define FILE_TRAVERSE ( 0x0020 ) #define FILE_DELETE_CHILD ( 0x0040 ) #define FILE_READ_ATTRIBUTES ( 0x0080 ) #define FILE_WRITE_ATTRIBUTES ( 0x0100 ) The generic access rights that are common to all objects are #define DELETE(0x0001L) #define READ_CONTROL (0x0002L) #define WRITE_DAC (0x0004L) #define WRITE_OWNER (0x0008L) #define SYNCHRONIZE (0x0010L) #define STANDARD_RIGHTS_ALL (0x001FL) The following logic is used by GPMC to convert a access mask for DS object to a access mask for SYSVOL. DSAccessMask as Input; SYSVOLAccessMask as Output; SYSVOLAccessMask= STANDARD_RIGHTS_ALL ; if ((DSAccessMask RIGHT_DS_READ_PROPERTY) AND (DSAccessMask RIGHT_DS_LIST_CONTENTS)) SYSVOLAccessMask |= (SYNCHRONIZE | FILE_LIST_DIRECTORY | FILE_READ_ATTRIBUTES | FILE_READ_EA | FILE_READ_DATA | FILE_EXECUTE); if (DSAccessMask RIGHT_DS_WRITE_PROPERTY) SYSVOLAccessMask |= (SYNCHRONIZE | FILE_WRITE_DATA | FILE_APPEND_DATA | FILE_WRITE_EA | FILE_WRITE_ATTRIBUTES | FILE_ADD_FILE | FILE_ADD_SUBDIRECTORY); if (DSAccessMask RIGHT_DS_CREATE_CHILD) SYSVOLAccessMask |= (FILE_ADD_SUBDIRECTORY | FILE_ADD_FILE); if (DSAccessMask