'[cifs-protocol] Question about LDAP delete operation on Administrator and other built-in accounts'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cifs-protocol
Subject:    [cifs-protocol] Question about LDAP delete operation on Administrator and other built-in accounts
From:       Nadezhda Ivanova <nivanova () samba ! org>
Date:       2013-10-07 12:55:00
Message-ID: CACERx8gvB-cLks2Z5if9d_CUA5_yUAN10tT3RT0aQjHZnbeFQQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]

Hi,
At the I/O Lab we asked about the restrictions that apply on performing a
delete operation on built-in accounts. To explain the correct behavior,
Edgar kindly supplied the following references:
"

3.1.1.5.5.1.1 Tombstone Requirements

http://msdn.microsoft.com/en-us/library/cc223481.aspx

A protected object may not be deleted and transformed into a tombstone
(see Protected
Objects (section <http://msdn.microsoft.com/en-us/library/cc223483.aspx>
3.1.1.5.5.3 <http://msdn.microsoft.com/en-us/library/cc223483.aspx>)<http://msdn.microsoft.com/en-us/library/cc223483.aspx>
 ).

3.1.1.5.5.3 Protected Objects

http://msdn.microsoft.com/en-us/library/cc223483.aspx

3.1.1.6.1.2 Protected Objects

http://msdn.microsoft.com/en-us/library/dd240058.aspx

…

o   well-known security principals:
§  of class user
<http://msdn.microsoft.com/en-us/library/cc221822.aspx>with RID =
DOMAIN_USER_RID_ADMIN

"

However, some testing revealed that the last reference which we hoped would
explain why the Administrator should not be deleted, appears to not be
relevant to the case. Delete operation on any built-in account or
predefined domain rid returns LDAP error 80, and the group membership does
not really affect the deletion of users or groups.

So after some digging, I found this:

http://msdn.microsoft.com/en-us/library/cc245803.aspx

Namely: If the RID of U's *objectSid* attribute value is less than 1000, an
error MUST be returned.

Could you please confirm that this is indeed the only restriction relevant
to the case?

Best Regards,
Nadezhda Ivanova

[Attachment #5 (text/html)]

<div dir="ltr"><div><div><div><div><div><div><div>Hi,<br></div>At the I/O Lab we \
asked about the restrictions that apply on performing a delete operation on built-in \
accounts. To explain the correct behavior, Edgar kindly supplied the following \
references: <br> &quot;<br><p class=""><span lang="EN">3.1.1.5.5.1.1 Tombstone \
Requirements</span></p> <p class=""><a \
href="http://msdn.microsoft.com/en-us/library/cc223481.aspx" \
target="_blank">http://msdn.microsoft.com/en-us/library/cc223481.aspx</a></p><br><p \
class=""><span lang="EN">A protected object may not be deleted and transformed into a \
tombstone (see <a href="http://msdn.microsoft.com/en-us/library/cc223483.aspx" \
target="_blank">Protected Objects (section </a><a \
href="http://msdn.microsoft.com/en-us/library/cc223483.aspx" \
target="_blank">3.1.1.5.5.3</a><a \
href="http://msdn.microsoft.com/en-us/library/cc223483.aspx" \
target="_blank">)</a>).</span></p> <p class=""><span lang="EN"> </span></p>
<p class=""><span lang="EN">3.1.1.5.5.3 Protected Objects</span></p>
<p class=""><span lang="EN"><a \
href="http://msdn.microsoft.com/en-us/library/cc223483.aspx" \
target="_blank">http://msdn.microsoft.com/en-us/library/cc223483.aspx</a></span></p> \
<p class=""><span lang="EN"> </span></p> <p class=""><span lang="EN">3.1.1.6.1.2 \
Protected Objects</span></p> <p class=""><a \
href="http://msdn.microsoft.com/en-us/library/dd240058.aspx" \
target="_blank">http://msdn.microsoft.com/en-us/library/dd240058.aspx</a></p> <p \
class="">…</p> <p style="margin-left:1in">
<span style="font-size:10pt;font-family:&quot;Courier New&quot;" \
lang="EN"><span>o<span style="font:7pt &quot;Times New Roman&quot;">   \
</span></span></span><span lang="EN">well-known security principals:</span></p>

<span style="font-size:10pt;font-family:Wingdings" lang="EN"><span>§<span \
style="font:7pt &quot;Times New Roman&quot;">  </span></span></span><span \
lang="EN">of class <a href="http://msdn.microsoft.com/en-us/library/cc221822.aspx" \
target="_blank"> user</a> with RID = \
DOMAIN_USER_RID_ADMIN</span><br><br>&quot;<br><br></div>However, some testing \
revealed that the last reference which we hoped would explain why the Administrator \
should not be deleted, appears to not be relevant to the case. Delete operation on \
any built-in account or predefined domain rid returns LDAP error 80, and the group \
membership does not really affect the deletion of users or groups.<br> <br></div>So \
after some digging, I found this:<br><br><br><a \
href="http://msdn.microsoft.com/en-us/library/cc245803.aspx">http://msdn.microsoft.com/en-us/library/cc245803.aspx</a><br><br></div>Namely: \
If the RID of U&#39;s <strong>objectSid</strong> attribute value is less than 1000, \
an error MUST be returned.<br> <br></div>Could you please confirm that this is indeed \
the only restriction relevant to the case?<br><br></div>Best \
Regards,<br></div>Nadezhda Ivanova<br></div>

_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

[prev in list] [next in list] [prev in thread] [next in thread] 