[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [REG:111020105939834] server behavior with
From: Bryan Burgin <bburgin () microsoft ! com>
Date: 2011-03-05 15:33:09
Message-ID: BBA84BA7DDF8E7499FA84A8575F130CA11D1B0 () TK5EX14MBXC218 ! redmond ! corp ! microsoft ! com
[Download RAW message or body]
Yes. I sent subsequent mail with the change I recommended, copied below.
Thank you for your patience.
Bryan
Matthieu,
To close this out, I filed a request with the owners of [MS-ADTS] recommending the \
following Windows Behavior Note:
At the text in 3.1.1.3.4.1.3 LDAP_SERVER_DIRSYNC_OID "If the base of the search is \
not the root of an NC, the server will return the error insufficientAccessRights / \
<unrestricted>. " add <WBN>
<WBN> Windows will return insufficientAccessRights if the base of the search is not \
the root of an NC and LDAP_DIRSYNC_OBJECT_SECURITY is not set.
Bryan
-----Original Message-----
From: Matthieu Patou [mailto:mat@samba.org]
Sent: Saturday, March 05, 2011 6:58 AM
To: Bryan Burgin
Cc: pfif@tridgell.net; cifs-protocol@samba.org; MSSolve Case Email
Subject: Re: [REG:111020105939834] server behavior with dirsync control when the \
search base is not a root of a nc
Hello Bryan,
> Matthieu,
>
> I verified my hypothesis. In both cases (with and without \
> LDAP_DIRSYNC_OBJECT_SECURITY) the call is handled in lsass.exe at \
> ntdsai.dll!LDAP_CONN::SearchRequest(). For reference: my testing was using Server \
> 2008 R2 (RTM, not SP1).
> If LDAP_DIRSYNC_OBJECT_SECURITY is absent, we call into code that checks that the \
> client has appropriate rights. That call fails with ERROR_DS_DRA_ACCESS_DENIED \
> 8453 (0x2105). That failure causes LDAP_CONN::SearchRequest() to stop there and \
> return insufficientAccessRights (0x32/50d).
> Deeper down, reason the access check fails with ERROR_DS_DRA_ACCESS_DENIED 8453 \
> (0x2105) is that a sub-check discovers that we are not at the root of the NC and \
> returns 8440 (0x20f8) ERROR_DS_DRA_BAD_NC "The naming context specified for this \
> replication operation is invalid".
> When LDAP_DIRSYNC_OBJECT_SECURITY is present, we don't do this extra security \
> "safety" check and skip all of the code mentioned above. We, then, fall into the \
> next check that ultimately returns unwillingToPerform when it discovers the base of \
> the search is not the root of the NC.
Ok, does this means that you'll update the documentation to indicate this behavior \
(with a behavior note for instance ?).
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic