Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

787 lines
27 KiB

/*++
Copyright (c) 1996 Microsoft Corporation
Module Name:
dumpsd.c
Abstract:
Dump security desc., ACLs, and access masks to the log. This is resource
specific but otherwise identical to the routines in clusrtl\security.c
Author:
Charlie Wickham (charlwi) 12/05/00
Revision History:
--*/
#define UNICODE 1
#include "clusres.h"
#include "clusrtl.h"
#include "lm.h"
#include "lmerr.h"
#include "lmshare.h"
#include <dfsfsctl.h>
#include <srvfsctl.h>
#include <lmdfs.h>
#define g_LogEvent ClusResLogEvent
static VOID
SmbGetSidTypeDesc(
SID_NAME_USE SidType,
LPSTR pszSidType,
size_t cchSidType
)
/*++
Routine Description:
Convert the SidType into a meaningful string.
Arguments:
SidType -
pszSidType
cchSidType
Return Value:
none
--*/
{
if ((pszSidType != NULL) && (cchSidType > 0))
{
char szSidType [128];
switch (SidType) {
case SidTypeUser:
lstrcpyA(szSidType, "has a user SID for");
break;
case SidTypeGroup:
lstrcpyA(szSidType, "has a group SID for");
break;
case SidTypeDomain:
lstrcpyA(szSidType, "has a domain SID for");
break;
case SidTypeAlias:
lstrcpyA(szSidType, "has an alias SID for");
break;
case SidTypeWellKnownGroup:
lstrcpyA(szSidType, "has a SID for a well-known group for");
break;
case SidTypeDeletedAccount:
lstrcpyA(szSidType, "has a SID for a deleted account for");
break;
case SidTypeInvalid:
lstrcpyA(szSidType, "has an invalid SID for");
break;
case SidTypeUnknown:
lstrcpyA(szSidType, "has an unknown SID type:");
break;
default:
szSidType [0] = '\0';
break;
} // switch: SidType
strncpy(pszSidType, szSidType, cchSidType);
} // if: buffer not null and has space allocated
} //*** SmbGetSidTypeDesc()
static VOID
SmbExamineSid(
RESOURCE_HANDLE ResourceHandle,
PSID pSid,
LPSTR lpszOldIndent
)
/*++
Routine Description:
Dump the SID.
Arguments:
pSid -
lpzOldIndent -
Return Value:
none
--*/
{
CHAR szUserName [128];
CHAR szDomainName [128];
DWORD cbUser = sizeof(szUserName);
DWORD cbDomain = sizeof(szDomainName);
SID_NAME_USE SidType;
if ( LookupAccountSidA( NULL, pSid, szUserName, &cbUser, szDomainName, &cbDomain, &SidType ) )
{
char szSidType [128];
SmbGetSidTypeDesc( SidType, szSidType, sizeof( szSidType ) );
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"%1!hs!%2!hs! %3!hs!\\%4!hs!\n",
lpszOldIndent, szSidType, szDomainName, szUserName ) ;
}
} // *** SmbExamineSid()
VOID
SmbExamineMask(
RESOURCE_HANDLE ResourceHandle,
ACCESS_MASK amMask
)
/*++
Routine Description:
Dump the AccessMask context.
Arguments:
amMask -
lpzOldIndent -
Return Value:
none
--*/
{
#define STANDARD_RIGHTS_ALL_THE_BITS 0x00FF0000L
#define GENERIC_RIGHTS_ALL_THE_BITS 0xF0000000L
DWORD dwGenericBits;
DWORD dwStandardBits;
DWORD dwSpecificBits;
DWORD dwAccessSystemSecurityBit;
DWORD dwExtraBits;
dwStandardBits = (amMask & STANDARD_RIGHTS_ALL_THE_BITS);
dwSpecificBits = (amMask & SPECIFIC_RIGHTS_ALL );
dwAccessSystemSecurityBit = (amMask & ACCESS_SYSTEM_SECURITY );
dwGenericBits = (amMask & GENERIC_RIGHTS_ALL_THE_BITS );
// **************************************************************************
// *
// * Print then decode the standard rights bits
// *
// **************************************************************************
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" Standard Rights == 0x%1!.8x!\n", dwStandardBits);
if (dwStandardBits) {
if ((dwStandardBits & DELETE) == DELETE) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x%1!.8x! DELETE\n", DELETE);
}
if ((dwStandardBits & READ_CONTROL) == READ_CONTROL) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x%1!.8x! READ_CONTROL\n", READ_CONTROL);
}
if ((dwStandardBits & STANDARD_RIGHTS_READ) == STANDARD_RIGHTS_READ) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x%1!.8x! STANDARD_RIGHTS_READ\n", STANDARD_RIGHTS_READ);
}
if ((dwStandardBits & STANDARD_RIGHTS_WRITE) == STANDARD_RIGHTS_WRITE) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x%1!.8x! STANDARD_RIGHTS_WRITE\n", STANDARD_RIGHTS_WRITE);
}
if ((dwStandardBits & STANDARD_RIGHTS_EXECUTE) == STANDARD_RIGHTS_EXECUTE) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x%1!.8x! STANDARD_RIGHTS_EXECUTE\n", STANDARD_RIGHTS_EXECUTE);
}
if ((dwStandardBits & WRITE_DAC) == WRITE_DAC) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x%1!.8x! WRITE_DAC\n", WRITE_DAC);
}
if ((dwStandardBits & WRITE_OWNER) == WRITE_OWNER) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x%1!.8x! WRITE_OWNER\n", WRITE_OWNER);
}
if ((dwStandardBits & SYNCHRONIZE) == SYNCHRONIZE) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x%1!.8x! SYNCHRONIZE\n", SYNCHRONIZE);
}
if ((dwStandardBits & STANDARD_RIGHTS_REQUIRED) == STANDARD_RIGHTS_REQUIRED) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x%1!.8x! STANDARD_RIGHTS_REQUIRED\n", STANDARD_RIGHTS_REQUIRED);
}
if ((dwStandardBits & STANDARD_RIGHTS_ALL) == STANDARD_RIGHTS_ALL) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x%1!.8x! STANDARD_RIGHTS_ALL\n", STANDARD_RIGHTS_ALL);
}
dwExtraBits = dwStandardBits & (~(DELETE
| READ_CONTROL
| STANDARD_RIGHTS_READ
| STANDARD_RIGHTS_WRITE
| STANDARD_RIGHTS_EXECUTE
| WRITE_DAC
| WRITE_OWNER
| SYNCHRONIZE
| STANDARD_RIGHTS_REQUIRED
| STANDARD_RIGHTS_ALL));
if (dwExtraBits) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" Extra standard bits == 0x%1!.8x! <-This is a problem, should be all 0s\n",
dwExtraBits);
}
}
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" Specific Rights == 0x%1!.8x!\n", dwSpecificBits);
// **************************************************************************
// *
// * Print then decode the ACCESS_SYSTEM_SECURITY bit
// *
// *************************************************************************
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" Access System Security == 0x%1!.8x!\n", dwAccessSystemSecurityBit);
// **************************************************************************
// *
// * Print then decode the generic rights bits, which will rarely be on
// *
// * Generic bits are nearly always mapped by Windows NT before it tries to do
// * anything with them. You can ignore the fact that generic bits are
// * special in any way, although it helps to keep track of what the mappings
// * are so that you don't have any surprises
// *
// * The only time the generic bits are not mapped immediately is if they are
// * placed in an inheritable ACE in an ACL, or in an ACL that will be
// * assigned by default (such as the default DACL in an access token). In
// * that case they're mapped when the child object is created (or when the
// * default DACL is used at object creation time)
// *
// **************************************************************************
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" Generic Rights == 0x%1!.8x!\n", dwGenericBits);
if (dwGenericBits) {
if ((dwGenericBits & GENERIC_READ) == GENERIC_READ) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x%1!.8x! GENERIC_READ\n", GENERIC_READ);
}
if ((dwGenericBits & GENERIC_WRITE) == GENERIC_WRITE) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x%1!.8x! GENERIC_WRITE\n", GENERIC_WRITE);
}
if ((dwGenericBits & GENERIC_EXECUTE) == GENERIC_EXECUTE) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x%1!.8x! GENERIC_EXECUTE\n", GENERIC_EXECUTE);
}
if ((dwGenericBits & GENERIC_ALL) == GENERIC_ALL) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x%1!.8x! GENERIC_ALL\n", GENERIC_ALL);
}
dwExtraBits = dwGenericBits & (~(GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL));
if (dwExtraBits) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" Extra generic bits == 0x%1!.8x! <-This is a problem, should be all 0s\n",
dwExtraBits);
}
}
} // *** SmbExamineMask()
static BOOL
SmbExamineACL(
RESOURCE_HANDLE ResourceHandle,
PACL paclACL
)
/*++
Routine Description:
Dump the Access Control List context.
Return Value:
none
--*/
{
ACL_SIZE_INFORMATION asiAclSize;
ACL_REVISION_INFORMATION ariAclRevision;
DWORD dwBufLength;
DWORD dwAcl_i;
ACCESS_ALLOWED_ACE * paaAllowedAce;
if (!IsValidAcl(paclACL)) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" SmbExamineACL() - IsValidAcl() failed.\n");
return FALSE;
}
dwBufLength = sizeof(asiAclSize);
if (!GetAclInformation(paclACL, &asiAclSize, dwBufLength, AclSizeInformation)) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" SmbExamineACL() - GetAclInformation failed.\n");
return FALSE;
}
dwBufLength = sizeof(ariAclRevision);
if (!GetAclInformation(paclACL, (LPVOID) &ariAclRevision, dwBufLength, AclRevisionInformation)) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" SmbExamineACL() - GetAclInformation failed\n");
return FALSE;
}
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" ACL has %1!d! ACE(s), %2!d! bytes used, %3!d! bytes free\n",
asiAclSize.AceCount,
asiAclSize.AclBytesInUse,
asiAclSize.AclBytesFree);
switch (ariAclRevision.AclRevision) {
case ACL_REVISION1:
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" ACL revision is %1!d! == ACL_REVISION1\n", ariAclRevision.AclRevision);
break;
case ACL_REVISION2:
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" ACL revision is %1!d! == ACL_REVISION2\n", ariAclRevision.AclRevision);
break;
default:
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" ACL revision is %1!d! == Unrecognized ACL Revision.\n",
ariAclRevision.AclRevision);
return FALSE;
break;
}
for (dwAcl_i = 0; dwAcl_i < asiAclSize.AceCount; dwAcl_i++) {
if (!GetAce(paclACL, dwAcl_i, (LPVOID *) &paaAllowedAce)) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" SmbExamineACL() - GetAce failed.\n");
return FALSE;
}
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" ACE %1!d! size %2!d!\n", dwAcl_i, paaAllowedAce->Header.AceSize);
{
char szBuf [128];
wsprintfA(szBuf, " ACE %d ", dwAcl_i);
SmbExamineSid(ResourceHandle, &(paaAllowedAce->SidStart), szBuf );
}
{
DWORD dwAceFlags = paaAllowedAce->Header.AceFlags;
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" ACE %1!d! flags 0x%2!.2x!\n", dwAcl_i, dwAceFlags);
if (dwAceFlags) {
DWORD dwExtraBits;
if ((dwAceFlags & OBJECT_INHERIT_ACE) == OBJECT_INHERIT_ACE) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x01 OBJECT_INHERIT_ACE\n");
}
if ((dwAceFlags & CONTAINER_INHERIT_ACE) == CONTAINER_INHERIT_ACE) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x02 CONTAINER_INHERIT_ACE\n");
}
if ((dwAceFlags & NO_PROPAGATE_INHERIT_ACE) == NO_PROPAGATE_INHERIT_ACE) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x04 NO_PROPAGATE_INHERIT_ACE\n");
}
if ((dwAceFlags & INHERIT_ONLY_ACE) == INHERIT_ONLY_ACE) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x08 INHERIT_ONLY_ACE\n");
}
if ((dwAceFlags & VALID_INHERIT_FLAGS) == VALID_INHERIT_FLAGS) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x0F VALID_INHERIT_FLAGS\n");
}
if ((dwAceFlags & SUCCESSFUL_ACCESS_ACE_FLAG) == SUCCESSFUL_ACCESS_ACE_FLAG) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x40 SUCCESSFUL_ACCESS_ACE_FLAG\n");
}
if ((dwAceFlags & FAILED_ACCESS_ACE_FLAG) == FAILED_ACCESS_ACE_FLAG) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" 0x80 FAILED_ACCESS_ACE_FLAG\n");
}
dwExtraBits = dwAceFlags & (~(OBJECT_INHERIT_ACE
| CONTAINER_INHERIT_ACE
| NO_PROPAGATE_INHERIT_ACE
| INHERIT_ONLY_ACE
| VALID_INHERIT_FLAGS
| SUCCESSFUL_ACCESS_ACE_FLAG
| FAILED_ACCESS_ACE_FLAG));
if (dwExtraBits) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" Extra AceFlag bits == 0x%1!.8x! <-This is a problem, should be all 0s\n",
dwExtraBits);
}
}
}
switch (paaAllowedAce->Header.AceType) {
case ACCESS_ALLOWED_ACE_TYPE:
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" ACE %1!d! is an ACCESS_ALLOWED_ACE_TYPE\n", dwAcl_i);
break;
case ACCESS_DENIED_ACE_TYPE:
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" ACE %1!d! is an ACCESS_DENIED_ACE_TYPE\n", dwAcl_i);
break;
case SYSTEM_AUDIT_ACE_TYPE:
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" ACE %1!d! is a SYSTEM_AUDIT_ACE_TYPE\n", dwAcl_i);
break;
case SYSTEM_ALARM_ACE_TYPE:
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" ACE %1!d! is a SYSTEM_ALARM_ACE_TYPE\n", dwAcl_i);
break;
default :
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" ACE %1!d! is an IMPOSSIBLE ACE_TYPE!!! Run debugger, examine value!\n", dwAcl_i);
return FALSE;
}
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L" ACE %1!d! mask == 0x%2!.8x!\n", dwAcl_i, paaAllowedAce->Mask);
SmbExamineMask(ResourceHandle, paaAllowedAce->Mask);
}
return TRUE;
} // *** SmbExamineACL()
BOOL
SmbExamineSD(
RESOURCE_HANDLE ResourceHandle,
PSECURITY_DESCRIPTOR psdSD
)
/*++
Routine Description:
Dump the Security descriptor context.
Arguments:
psdSD - the SD to dump
Return Value:
BOOL, TRUE for success, FALSE for failure
--*/
{
PACL paclDACL;
PACL paclSACL;
BOOL bHasDACL = FALSE;
BOOL bHasSACL = FALSE;
BOOL bDaclDefaulted = FALSE;
BOOL bSaclDefaulted = FALSE;
BOOL bOwnerDefaulted = FALSE;
BOOL bGroupDefaulted = FALSE;
PSID psidOwner;
PSID psidGroup;
SECURITY_DESCRIPTOR_CONTROL sdcSDControl;
DWORD dwSDRevision;
DWORD dwSDLength;
if (!IsValidSecurityDescriptor(psdSD)) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SmbExamineSD() - IsValidSecurityDescriptor failed.\n");
return FALSE;
}
dwSDLength = GetSecurityDescriptorLength(psdSD);
if (!GetSecurityDescriptorDacl(psdSD, (LPBOOL) &bHasDACL, (PACL *) &paclDACL, (LPBOOL) &bDaclDefaulted)) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SmbExamineSD() - GetSecurityDescriptorDacl failed.\n");
return FALSE;
}
if (!GetSecurityDescriptorSacl(psdSD, (LPBOOL) &bHasSACL, (PACL *) &paclSACL, (LPBOOL) &bSaclDefaulted)) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SmbExamineSD() - GetSecurityDescriptorSacl failed.\n");
return FALSE;
}
if (!GetSecurityDescriptorOwner(psdSD, (PSID *)&psidOwner, (LPBOOL)&bOwnerDefaulted)) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SmbExamineSD() - GetSecurityDescriptorOwner failed.\n");
return FALSE;
}
if (!GetSecurityDescriptorGroup(psdSD, (PSID *) &psidGroup, (LPBOOL) &bGroupDefaulted)) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SmbExamineSD() - GetSecurityDescriptorGroup failed.\n");
return FALSE;
}
if (!GetSecurityDescriptorControl(
psdSD,
(PSECURITY_DESCRIPTOR_CONTROL) &sdcSDControl,
(LPDWORD) &dwSDRevision))
{
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SmbExamineSD() - GetSecurityDescriptorControl failed.\n");
return FALSE;
}
switch (dwSDRevision) {
case SECURITY_DESCRIPTOR_REVISION1:
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD is valid. SD is %1!d! bytes long. SD revision is "
L"%2!d! == SECURITY_DESCRIPTOR_REVISION1\n",
dwSDLength, dwSDRevision);
break;
default :
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD is valid. SD is %1!d! bytes long. SD revision is "
L"%2!d! == ! SD Revision is an IMPOSSIBLE SD revision!!! "
L"Perhaps a new revision was added...\n",
dwSDLength,
dwSDRevision);
return FALSE;
}
if (SE_SELF_RELATIVE & sdcSDControl) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD is in self-relative format (all SDs returned by the system are)\n");
}
if (NULL == psidOwner) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD's Owner is NULL, so SE_OWNER_DEFAULTED is ignored\n");
}
else {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD's Owner is Not NULL\n");
if (bOwnerDefaulted) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD's Owner-Defaulted flag is TRUE\n");
}
else {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD's Owner-Defaulted flag is FALSE\n");
}
}
// **************************************************************************
// *
// * The other use for psidGroup is for Macintosh client support
// *
// **************************************************************************
if (NULL == psidGroup) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD's Group is NULL, so SE_GROUP_DEFAULTED is ignored. SD's Group "
L"being NULL is typical, GROUP in SD(s) is mainly for POSIX compliance\n");
}
else {
if (bGroupDefaulted) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD's Group-Defaulted flag is TRUE\n");
}
else {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD's Group-Defaulted flag is FALSE\n");
}
}
if (SE_DACL_PRESENT & sdcSDControl) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD's DACL is Present\n");
if (bDaclDefaulted) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD's DACL-Defaulted flag is TRUE\n");
} else {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD's DACL-Defaulted flag is FALSE\n");
}
if (NULL == paclDACL) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD has a NULL DACL explicitly specified (allows all access to Everyone). "
L"This does not apply to this SD, but for comparison, a non-NULL DACL pointer "
L"to a 0-length ACL allows no access to anyone\n");
}
else if(!SmbExamineACL(ResourceHandle, paclDACL)) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SmbExamineSD() - SmbExamineACL failed.\n");
}
}
else {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD's DACL is Not Present, so SE_DACL_DEFAULTED is ignored. SD has no "
L"DACL at all (allows all access to Everyone)\n");
}
if (SE_SACL_PRESENT & sdcSDControl) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD's SACL is Present\n");
if (bSaclDefaulted) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD's SACL-Defaulted flag is TRUE\n");
}
else {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD's SACL-Defaulted flag is FALSE\n");
}
if (NULL == paclSACL) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD has a NULL SACL explicitly specified\n");
}
else if (!SmbExamineACL(ResourceHandle, paclSACL)) {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SmbExamineSD() - SmbExamineACL failed.\n");
}
}
else {
(g_LogEvent)(ResourceHandle,
LOG_INFORMATION,
L"SD's SACL is Not Present, so SE_SACL_DEFAULTED is ignored. SD has no "
L"SACL at all (or we did not request to see it)\n");
}
return TRUE;
} // *** SmbExamineSD()