[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [REG113100710843173]: Question about LDAP delete operation on Administrator and
From: Nadezhda Ivanova <nivanova () samba ! org>
Date: 2013-10-09 13:54:26
Message-ID: CACERx8gqufMQRWfHjT0Wg7VVehYKPdgH5iS9Fhk0hYbru2WYLQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Edgar,
It seems from the references you provided that there aren't additional
restrictions - other than rid > 1000, which was my original question.
Thank you for your help!
Regards,
Nadya
On Wed, Oct 9, 2013 at 1:13 AM, Edgar Olougouna <edgaro@microsoft.com>wrote:
> Nadia,****
>
> It was nice working with the team at the IO lab. Please find the
> references and explanation as follows. ****
>
> Your observation is correct. The restriction is relevant as specified in
> MS-ADTS. The Delete Operation constraints ([MS-ADTS] 3.1.1.5.5) has a
> clause on SAM-specific objects.****
>
> ** **
>
> After reviewing the source code and documents, I have opened a technical
> document issue to request further details regarding the 1000 value.
> Well-known accounts have a RID value that is less than 1000. Consequently
> SAMR uses 1000 as the minimum domain RID for rIDAvailablePool. ****
>
> The builtin account RID check applies to SamrDeleteAlias(),
> SamrDeleteGroup() and SamrDeleteUser.****
>
> ** **
>
> Let's me know whether this helps!****
>
> ** **
>
> [MS-ADTS]****
>
> 3.1.1.5.5 Delete Operation****
>
> 3.1.1.5.5.5 Constraints****
>
> http://msdn.microsoft.com/en-us/library/cc223485.aspx****
>
> ** · **If the object being deleted is a SAM-specific object
> (section 3.1.1.5.2.3<http://msdn.microsoft.com/en-us/library/cc223445.aspx>),
> additional constraints apply (see [MS-SAMR] section \
> 3.1.5.7<http://msdn.microsoft.com/en-us/library/cc245800.aspx> ).****
>
> 3.1.1.5.2.3 Special Classes and Attributes****
>
> http://msdn.microsoft.com/en-us/library/cc223445.aspx****
>
> This section defines three sets of object classes: LSA-specific object
> classes, SAM-specific object classes, and schema object classes. These sets
> are mentioned elsewhere in the specification, because special processing is
> applied to instances of these classes.****
>
> Each set includes both the specific object classes mentioned here and any
> subclasses of these object classes.****
>
> ** · **LSA-specific object classes: \
> secret<http://msdn.microsoft.com/en-us/library/cc221792.aspx>, trustedDomain \
> <http://msdn.microsoft.com/en-us/library/cc221820.aspx>(originating updates only, \
> in AD DS only).
> ****
>
> ** · **SAM-specific object classes: \
> group<http://msdn.microsoft.com/en-us/library/cc221861.aspx>, samDomain \
> <http://msdn.microsoft.com/en-us/library/cc221779.aspx>, samServer \
> <http://msdn.microsoft.com/en-us/library/cc221789.aspx>, \
> user<http://msdn.microsoft.com/en-us/library/cc221822.aspx>(originating updates \
> only, in AD DS only).
> ****
>
> ** · **Schema object classes: \
> attributeSchema<http://msdn.microsoft.com/en-us/library/cc221662.aspx>, classSchema \
> <http://msdn.microsoft.com/en-us/library/cc221755.aspx>(originating and replicated \
> updates).
> ****
>
> This section also defines one set of attributes: foreign principal object
> (FPO)<http://msdn.microsoft.com/en-us/library/b645c125-a7da-4097-84a1-2fa7cea07714#fpo>-enabled
> attributes. This set is mentioned elsewhere in the specification, because
> special processing is applied to instances of these attributes.****
>
> ** · **FPO-enabled attributes: \
> member<http://msdn.microsoft.com/en-us/library/cc220525.aspx>, \
> msDS-MembersForAzRole<http://msdn.microsoft.com/en-us/library/cc220305.aspx>, \
> msDS-NeverRevealGroup<http://msdn.microsoft.com/en-us/library/cc220317.aspx>, \
> msDS-NonMembers <http://msdn.microsoft.com/en-us/library/cc220319.aspx>, \
> msDS-RevealOnDemandGroup<http://msdn.microsoft.com/en-us/library/cc220364.aspx>, \
> msDS-ServiceAccount<http://msdn.microsoft.com/en-us/library/cc221226.aspx>.
>
> ****
>
> ** **
>
> [MS-SAMR]****
>
> 3.1.5.7 Delete Pattern****
>
> http://msdn.microsoft.com/en-us/library/cc245800.aspx****
>
> 3.1.5.7.1 SamrDeleteGroup (Opnum 23)****
>
> 5. If the RID of G's objectSid attribute is less than 1000, an error
> MUST be returned.****
>
> 3.1.5.7.2 SamrDeleteAlias (Opnum 30)****
>
> 5. If the RID of A's objectSid attribute value is less than 1000, an
> error MUST be returned.****
>
> 3.1.5.7.3 SamrDeleteUser (Opnum 35)****
>
> 5. If the RID of U's *objectSid* attribute value is less than 1000, an
> error MUST be returned.****
>
> ** **
>
> [MS-DRSR]****
>
> ** **
>
> 4.1.10.5.12 ProcessFsmoRoleRequest****
>
> http://msdn.microsoft.com/en-us/library/dd207744.aspx****
>
> …****
>
> /* Locate or create the RID Set object for the client DC. */****
>
> serverObj := clientDsaObj!parent****
>
> clientComputerObj := serverObj!serverReference****
>
> if clientComputerObj!rIDSetReference = null then****
>
> clientRidSetObj := An implementation defined DSName in the****
>
> default NC such that not ObjExists(clientRidSetObj)****
>
> Create object with DSName clientRidSetObject such that****
>
> rIDSet in clientRidSetObject!objectClass****
>
> /* Windows Behavior: Windows sets clientRidSetObj to be a child****
>
> * of clientComputerObj. */****
>
> clientComputerObj!rIDSetReference := clientRidSetObj****
>
> else****
>
> clientRidSetObj := clientComputerObj!rIDSetReference****
>
> endif****
>
> /* Get the current RID allocation for the client DC. */****
>
> ridAllocLoHi := clientRidSetObj!rIDAllocationPool****
>
> ridAvailHi := most significant 32 bits of ridAvailLoHi****
>
> ridReqHi := most significant 32 bits of msgIn.liFsmoInfo****
>
> if ridAllocLoHi = 0 or ridAvailHi = 0 or ridReqHi ≥ ridAvailHi then****
>
> /* The client DC has indeed exhausted its current allocation,****
>
> * according to our records. */****
>
> ** **
>
> /* Get the range of RIDs that have not yet been allocated to any****
>
> * DC. */****
>
> ridAvailLoHi := fsmoObj!rIDAvailablePool****
>
> ridAvailLo := least significant 32 bits of ridAvailLoHi****
>
> ridAvailHi := most significant 32 bits of ridAvailLoHi****
>
> ** **
>
> /* Select a subset of the unallocated RIDs and allocate them to****
>
> * the client. */****
>
> Assign a value to ridAllocHi according to any implementation-****
>
> defined policy such that ridAvailLo < ridAllocHi < ridAvailHi.****
>
> /* Windows Behavior: By default, Windows sets ridAllocHi to****
>
> * ridAvailLo + 500. */****
>
> ridAllocLoHi := ridAvailLo as least significant 32 bits and****
>
> ridAllocHi as most significant 32 bits****
>
> ridAvailLo := ridAllocHi + 1****
>
> ridAvailLoHi := ridAvailLo as least significant 32 bits and****
>
> ridAvailHi as most significant 32 bits****
>
> fsmoObj!rIDAvailablePool := ridAvailLoHi****
>
> clientRidSetObj!rIDAllocationPool := ridAllocLoHi****
>
> msgOut.liFsmoInfo := ridAllocLoHi****
>
> endif****
>
> …****
>
> ** **
>
> Thanks,****
>
> Edgar****
>
> ** **
>
> *From:* Edgar Olougouna
> *Sent:* Monday, October 07, 2013 11:37 AM
>
> *To:* Nadezhda Ivanova
> *Cc:* cifs-protocol@samba.org; MSSolve Case Email
> *Subject:* RE: [REG113100710843173]: Question about LDAP delete operation
> on Administrator and other built-in accounts****
>
> ** **
>
> Nadia,****
>
> ** **
>
> I will investigate this and follow-up.****
>
> ** **
>
> Regards,****
>
> Edgar****
>
> ** **
>
> *From:* Bryan Burgin
> *Sent:* Monday, October 07, 2013 11:25 AM
> *To:* Nadezhda Ivanova
> *Cc:* cifs-protocol@samba.org; MSSolve Case Email
> *Subject:* [REG113100710843173]: Question about LDAP delete operation on
> Administrator and other built-in accounts****
>
> ** **
>
> [-dochelp; +casemail]****
>
> ** **
>
> Hi Nadezhda,****
>
> ** **
>
> Thank you for your question. We created SR 113100710843173 to track this
> issue. An engineer from the Protocols will contact you soon.****
>
> ** **
>
> Bryan****
>
> ** **
>
> *From:* nivanova.samba@gmail.com \
> [mailto:nivanova.samba@gmail.com<nivanova.samba@gmail.com>]
> *On Behalf Of *Nadezhda Ivanova
> *Sent:* Monday, October 7, 2013 5:55 AM
> *To:* Interoperability Documentation Help
> *Cc:* cifs-protocol@samba.org
> *Subject:* Question about LDAP delete operation on Administrator and
> other built-in accounts****
>
> ** **
>
> Hi,****
>
> At the I/O Lab we asked about the restrictions that apply on performing a
> delete operation on built-in accounts. To explain the correct behavior,
> Edgar kindly supplied the following references:
> "****
>
> 3.1.1.5.5.1.1 Tombstone Requirements****
>
> http://msdn.microsoft.com/en-us/library/cc223481.aspx****
>
> ** **
>
> A protected object may not be deleted and transformed into a tombstone
> (see Protected Objects (section
> <http://msdn.microsoft.com/en-us/library/cc223483.aspx>3.1.1.5.5.3<http://msdn.microsoft.com/en-us/library/cc223483.aspx>
> ) <http://msdn.microsoft.com/en-us/library/cc223483.aspx>).****
>
> ****
>
> 3.1.1.5.5.3 Protected Objects****
>
> http://msdn.microsoft.com/en-us/library/cc223483.aspx****
>
> ****
>
> 3.1.1.6.1.2 Protected Objects****
>
> http://msdn.microsoft.com/en-us/library/dd240058.aspx****
>
> …****
>
> o well-known security principals:****
>
> § of class user <http://msdn.microsoft.com/en-us/library/cc221822.aspx>with RID = \
> DOMAIN_USER_RID_ADMIN
> "****
>
> However, some testing revealed that the last reference which we hoped
> would explain why the Administrator should not be deleted, appears to not
> be relevant to the case. Delete operation on any built-in account or
> predefined domain rid returns LDAP error 80, and the group membership does
> not really affect the deletion of users or groups.****
>
> So after some digging, I found this:
>
>
> http://msdn.microsoft.com/en-us/library/cc245803.aspx****
>
> Namely: If the RID of U's * objectSid* attribute value is less than 1000,
> an error MUST be returned.****
>
> Could you please confirm that this is indeed the only restriction relevant
> to the case?****
>
> Best Regards,****
>
> Nadezhda Ivanova****
>
[Attachment #5 (text/html)]
<div dir="ltr"><div><div><div>Hi Edgar,<br></div>It seems from the references you \
provided that there aren't additional restrictions - other than rid > 1000, \
which was my original question.<br></div><div>Thank you for your help!<br> \
</div><div><br></div>Regards,<br></div>Nadya<br></div><div \
class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Oct 9, 2013 at 1:13 AM, \
Edgar Olougouna <span dir="ltr"><<a href="mailto:edgaro@microsoft.com" \
target="_blank">edgaro@microsoft.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal">Nadia,<span style="font-size:11.0pt"><u></u><u></u></span></p>
<p class="MsoNormal">It was nice working with the team at the IO lab. Please find the \
references and explanation as follows. <u></u><u></u></p>
<p class="MsoNormal">Your observation is correct. The restriction is relevant as \
specified in MS-ADTS. The Delete Operation constraints ([MS-ADTS] 3.1.1.5.5) has a \
clause on SAM-specific objects.<u></u><u></u></p> <p class="MsoNormal"><u></u> \
<u></u></p> <p class="MsoNormal">After reviewing the source code and documents, I \
have opened a technical document issue to request further details regarding the 1000 \
value. Well-known accounts have a RID value that is less than 1000. Consequently SAMR \
uses 1000 as the minimum domain RID for rIDAvailablePool. <u></u><u></u></p>
<p class="MsoNormal">The builtin account RID check applies to SamrDeleteAlias(), \
SamrDeleteGroup() and SamrDeleteUser.<u></u><u></u></p> <p class="MsoNormal"><u></u> \
<u></u></p> <p class="MsoNormal">Let's me know whether this helps!<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">[MS-ADTS]<u></u><u></u></p>
<p class="MsoNormal">3.1.1.5.5 Delete Operation<u></u><u></u></p>
<p class="MsoNormal">3.1.1.5.5.5 Constraints<u></u><u></u></p>
<p class="MsoNormal"><a href="http://msdn.microsoft.com/en-us/library/cc223485.aspx" \
target="_blank">http://msdn.microsoft.com/en-us/library/cc223485.aspx</a><u></u><u></u></p>
<p><u></u><span style="font-family:Symbol"><span> ·<span style="font:7.0pt \
"Times New Roman""> </span></span></span><u></u><span \
lang="EN">If the object being deleted is a SAM-specific object (section <a \
href="http://msdn.microsoft.com/en-us/library/cc223445.aspx" \
target="_blank">3.1.1.5.2.3</a>), additional constraints apply (see [MS-SAMR] section \
<a href="http://msdn.microsoft.com/en-us/library/cc245800.aspx" \
target="_blank">3.1.5.7</a>).</span><u></u><u></u></p> <p class="MsoNormal"><span \
lang="EN">3.1.1.5.2.3 Special Classes and Attributes</span><u></u><u></u></p> <p \
class="MsoNormal"><a href="http://msdn.microsoft.com/en-us/library/cc223445.aspx" \
target="_blank">http://msdn.microsoft.com/en-us/library/cc223445.aspx</a><u></u><u></u></p>
<p class="MsoNormal">This section defines three sets of object classes: LSA-specific \
object classes, SAM-specific object classes, and schema object classes. These sets \
are mentioned elsewhere in the specification, because special processing is applied \
to instances of these classes.<u></u><u></u></p>
<p class="MsoNormal">Each set includes both the specific object classes mentioned \
here and any subclasses of these object classes.<u></u><u></u></p> <p \
class="MsoNormal" style="margin-right:0in;margin-bottom:8.0pt;margin-left:.5in;line-height:106%">
<u></u><span style="font-family:Symbol"><span> ·<span style="font:7.0pt "Times \
New Roman""> </span></span></span><u></u>LSA-specific object \
classes: <a href="http://msdn.microsoft.com/en-us/library/cc221792.aspx" \
target="_blank"> secret</a>, <a \
href="http://msdn.microsoft.com/en-us/library/cc221820.aspx" \
target="_blank">trustedDomain</a> (originating updates only, in AD DS \
only).<u></u><u></u></p> <p class="MsoNormal" \
style="margin-right:0in;margin-bottom:8.0pt;margin-left:.5in;line-height:106%"> \
<u></u><span style="font-family:Symbol"><span> ·<span style="font:7.0pt "Times \
New Roman""> </span></span></span><u></u>SAM-specific object \
classes: <a href="http://msdn.microsoft.com/en-us/library/cc221861.aspx" \
target="_blank"> group</a>, <a \
href="http://msdn.microsoft.com/en-us/library/cc221779.aspx" \
target="_blank">samDomain</a>, <a \
href="http://msdn.microsoft.com/en-us/library/cc221789.aspx" \
target="_blank">samServer</a>, <a \
href="http://msdn.microsoft.com/en-us/library/cc221822.aspx" target="_blank"> \
user</a> (originating updates only, in AD DS only).<u></u><u></u></p> <p \
class="MsoNormal" style="margin-right:0in;margin-bottom:8.0pt;margin-left:.5in;line-height:106%">
<u></u><span style="font-family:Symbol"><span> ·<span style="font:7.0pt "Times \
New Roman""> </span></span></span><u></u>Schema object classes: <a \
href="http://msdn.microsoft.com/en-us/library/cc221662.aspx" target="_blank"> \
attributeSchema</a>, <a href="http://msdn.microsoft.com/en-us/library/cc221755.aspx" \
target="_blank"> classSchema</a> (originating and replicated \
updates).<u></u><u></u></p> <p class="MsoNormal">This section also defines one set of \
attributes: <a href="http://msdn.microsoft.com/en-us/library/b645c125-a7da-4097-84a1-2fa7cea07714#fpo" \
target="_blank"> foreign principal object (FPO)</a>-enabled attributes. This set is \
mentioned elsewhere in the specification, because special processing is applied to \
instances of these attributes.<u></u><u></u></p> <p class="MsoNormal" \
style="margin-right:0in;margin-bottom:8.0pt;margin-left:.5in;line-height:106%"> \
<u></u><span style="font-family:Symbol"><span> ·<span style="font:7.0pt "Times \
New Roman""> </span></span></span><u></u>FPO-enabled attributes: \
<a href="http://msdn.microsoft.com/en-us/library/cc220525.aspx" target="_blank"> \
member</a>, <a href="http://msdn.microsoft.com/en-us/library/cc220305.aspx" \
target="_blank">msDS-MembersForAzRole</a>, <a \
href="http://msdn.microsoft.com/en-us/library/cc220317.aspx" \
target="_blank">msDS-NeverRevealGroup</a>, <a \
href="http://msdn.microsoft.com/en-us/library/cc220319.aspx" \
target="_blank">msDS-NonMembers</a>, <a \
href="http://msdn.microsoft.com/en-us/library/cc220364.aspx" \
target="_blank">msDS-RevealOnDemandGroup</a>, <a \
href="http://msdn.microsoft.com/en-us/library/cc221226.aspx" \
target="_blank">msDS-ServiceAccount</a>. <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">[MS-SAMR]<u></u><u></u></p>
<p class="MsoNormal"><span lang="EN">3.1.5.7 Delete Pattern<u></u><u></u></span></p>
<p class="MsoNormal"><a href="http://msdn.microsoft.com/en-us/library/cc245800.aspx" \
target="_blank">http://msdn.microsoft.com/en-us/library/cc245800.aspx</a><u></u><u></u></p>
<p class="MsoNormal">3.1.5.7.1 SamrDeleteGroup (Opnum 23)<u></u><u></u></p>
<p>5. If the RID of G's <span>
objectSid</span> attribute is less than 1000, an error MUST be \
returned.<u></u><u></u></p> <p class="MsoNormal">3.1.5.7.2 SamrDeleteAlias (Opnum \
30)<u></u><u></u></p> <p>5. If the RID of A's <span>
objectSid</span> attribute value is less than 1000, an error MUST be \
returned.<u></u><u></u></p> <p class="MsoNormal"><span lang="EN">3.1.5.7.3 \
SamrDeleteUser (Opnum 35)</span><u></u><u></u></p> <p class="MsoNormal"><span \
lang="EN">5. If the RID of U's <strong>objectSid</strong> attribute value is less \
than 1000, an error MUST be returned.<u></u><u></u></span></p> <p \
class="MsoNormal"><span lang="EN"><u></u> <u></u></span></p> <p \
class="MsoNormal"><span lang="EN">[MS-DRSR]<u></u><u></u></span></p> <p \
class="MsoNormal"><span lang="EN"><u></u> <u></u></span></p> <p \
class="MsoNormal"><span lang="EN">4.1.10.5.12 \
ProcessFsmoRoleRequest<u></u><u></u></span></p> <p class="MsoNormal"><span \
lang="EN"><a href="http://msdn.microsoft.com/en-us/library/dd207744.aspx" \
target="_blank">http://msdn.microsoft.com/en-us/library/dd207744.aspx</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN">…<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier \
New"" lang="EN"> /* Locate or create the RID Set object for the client DC. \
*/<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> serverObj \
:= clientDsaObj!parent<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> \
clientComputerObj := serverObj!serverReference<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> if clientComputerObj!rIDSetReference = null \
then<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> \
clientRidSetObj := An implementation defined DSName in the<u></u><u></u></span></p> \
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier \
New"" lang="EN"> default NC such that not \
ObjExists(clientRidSetObj)<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> Create \
object with DSName clientRidSetObject such that<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> rIDSet in \
clientRidSetObject!objectClass<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> /* \
Windows Behavior: Windows sets clientRidSetObj to be a child<u></u><u></u></span></p> \
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier \
New"" lang="EN"> * of clientComputerObj. */<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> clientComputerObj!rIDSetReference := \
clientRidSetObj<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> \
else<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> \
clientRidSetObj := clientComputerObj!rIDSetReference<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> endif<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> /* Get the \
current RID allocation for the client DC. */<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> ridAllocLoHi := \
clientRidSetObj!rIDAllocationPool<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> ridAvailHi \
:= most significant 32 bits of ridAvailLoHi<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> ridReqHi := most significant 32 bits of \
msgIn.liFsmoInfo<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> if \
ridAllocLoHi = 0 or ridAvailHi = 0 or ridReqHi ≥ ridAvailHi \
then<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> /* The \
client DC has indeed exhausted its current allocation,<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> * according to our records. */<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"><u></u> <u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> /* Get \
the range of RIDs that have not yet been allocated to any<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> * DC. */<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> \
ridAvailLoHi := fsmoObj!rIDAvailablePool<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> ridAvailLo := least significant 32 bits of \
ridAvailLoHi<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> \
ridAvailHi := most significant 32 bits of ridAvailLoHi<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"><u></u> <u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> /* \
Select a subset of the unallocated RIDs and allocate them to<u></u><u></u></span></p> \
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier \
New"" lang="EN"> * the client. */<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> Assign a value to ridAllocHi according to any \
implementation-<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> \
defined policy such that ridAvailLo < ridAllocHi < \
ridAvailHi.<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> /* \
Windows Behavior: By default, Windows sets ridAllocHi to<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> * ridAvailLo + 500. */<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> ridAllocLoHi := ridAvailLo as least significant 32 bits \
and<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> \
ridAllocHi as most significant 32 bits<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> ridAvailLo := ridAllocHi + 1<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> ridAvailLoHi := ridAvailLo as least significant 32 bits \
and<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> \
ridAvailHi as most significant 32 bits<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> fsmoObj!rIDAvailablePool := ridAvailLoHi<u></u><u></u></span></p> <p \
class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"" \
lang="EN"> clientRidSetObj!rIDAllocationPool := \
ridAllocLoHi<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> \
msgOut.liFsmoInfo := ridAllocLoHi<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Courier New"" lang="EN"> \
endif<u></u><u></u></span></p> <p class="MsoNormal"><span \
lang="EN">…<u></u><u></u></span></p> <p class="MsoNormal"><span lang="EN"><u></u> \
<u></u></span></p> <p class="MsoNormal"><span \
lang="EN">Thanks,<u></u><u></u></span></p> <p class="MsoNormal"><span \
lang="EN">Edgar</span><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> \
<u></u></span></p> <div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> \
Edgar Olougouna <br>
<b>Sent:</b> Monday, October 07, 2013 11:37 AM</span></p><div class="im"><br>
<b>To:</b> Nadezhda Ivanova<br>
<b>Cc:</b> <a href="mailto:cifs-protocol@samba.org" \
target="_blank">cifs-protocol@samba.org</a>; MSSolve Case Email<br> \
</div><b>Subject:</b> RE: [REG113100710843173]: Question about LDAP delete operation \
on Administrator and other built-in accounts<u></u><u></u><p></p> </div>
</div><div class="im">
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Nadia,<u></u><u></u></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> \
<u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I \
will investigate this and follow-up.<u></u><u></u></span></p> <p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> \
<u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Regards,<u></u><u></u></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Edgar<u></u><u></u></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> \
<u></u></span></p> </div><div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> \
Bryan Burgin <br></span></p><div class="im">
<b>Sent:</b> Monday, October 07, 2013 11:25 AM<br>
<b>To:</b> Nadezhda Ivanova<br>
<b>Cc:</b> <a href="mailto:cifs-protocol@samba.org" \
target="_blank">cifs-protocol@samba.org</a>; MSSolve Case Email<br> \
</div><b>Subject:</b> [REG113100710843173]: Question about LDAP delete operation on \
Administrator and other built-in accounts<u></u><u></u><p></p> </div>
</div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">[-dochelp; \
+casemail]<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> \
<u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hi \
Nadezhda,<u></u><u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> \
<u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thank \
you for your question. We created SR 113100710843173 to track this issue. An \
engineer from the Protocols will contact you soon.<u></u><u></u></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> \
<u></u></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Bryan<u></u><u></u></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> \
<u></u></span></p> <p class="MsoNormal"><b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <a \
href="mailto:nivanova.samba@gmail.com" target="_blank">nivanova.samba@gmail.com</a> \
[<a href="mailto:nivanova.samba@gmail.com" \
target="_blank">mailto:nivanova.samba@gmail.com</a>] <b>On Behalf Of </b>Nadezhda \
Ivanova<br> <b>Sent:</b> Monday, October 7, 2013 5:55 AM<br>
<b>To:</b> Interoperability Documentation Help<br>
<b>Cc:</b> <a href="mailto:cifs-protocol@samba.org" \
target="_blank">cifs-protocol@samba.org</a><br> <b>Subject:</b> Question about LDAP \
delete operation on Administrator and other built-in \
accounts<u></u><u></u></span></p> <p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Hi,<u></u><u></u></p>
</div>
<p class="MsoNormal">At the I/O Lab we asked about the restrictions that apply on \
performing a delete operation on built-in accounts. To explain the correct behavior, \
Edgar kindly supplied the following references: <br>
"<u></u><u></u></p>
<p class="MsoNormal"><span lang="EN">3.1.1.5.5.1.1 Tombstone \
Requirements</span><u></u><u></u></p> <p class="MsoNormal"><a \
href="http://msdn.microsoft.com/en-us/library/cc223481.aspx" \
target="_blank">http://msdn.microsoft.com/en-us/library/cc223481.aspx</a><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span lang="EN">A protected object may not be deleted and \
transformed into a tombstone (see <a \
href="http://msdn.microsoft.com/en-us/library/cc223483.aspx" \
target="_blank">Protected Objects (section </a><a \
href="http://msdn.microsoft.com/en-us/library/cc223483.aspx" \
target="_blank">3.1.1.5.5.3</a><a \
href="http://msdn.microsoft.com/en-us/library/cc223483.aspx" \
target="_blank">)</a>).</span><u></u><u></u></p> <p class="MsoNormal"><span \
lang="EN"> </span><u></u><u></u></p> <p class="MsoNormal"><span \
lang="EN">3.1.1.5.5.3 Protected Objects</span><u></u><u></u></p> <p \
class="MsoNormal"><span lang="EN"><a \
href="http://msdn.microsoft.com/en-us/library/cc223483.aspx" \
target="_blank">http://msdn.microsoft.com/en-us/library/cc223483.aspx</a></span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN"> </span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN">3.1.1.6.1.2 Protected \
Objects</span><u></u><u></u></p> <p class="MsoNormal"><a \
href="http://msdn.microsoft.com/en-us/library/dd240058.aspx" \
target="_blank">http://msdn.microsoft.com/en-us/library/dd240058.aspx</a><u></u><u></u></p>
<p class="MsoNormal">…<u></u><u></u></p>
<p style="margin-left:1.0in"><span style="font-size:10.0pt;font-family:"Courier \
New"" lang="EN">o</span><span style="font-size:7.0pt" lang="EN"> \
</span><span lang="EN">well-known security principals:</span><u></u><u></u></p> <p \
class="MsoNormal" style="margin-bottom:12.0pt"><span \
style="font-size:10.0pt;font-family:Wingdings" lang="EN"> §</span><span \
style="font-size:7.0pt" lang="EN"> </span><span lang="EN">of class <a \
href="http://msdn.microsoft.com/en-us/library/cc221822.aspx" target="_blank"> \
user</a> with RID = DOMAIN_USER_RID_ADMIN</span><br> <br>
"<u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">However, some testing revealed that \
the last reference which we hoped would explain why the Administrator should not be \
deleted, appears to not be relevant to the case. Delete operation on any built-in \
account or predefined domain rid returns LDAP error 80, and the group membership \
does not really affect the deletion of users or groups.<u></u><u></u></p> </div>
<p class="MsoNormal" style="margin-bottom:12.0pt">So after some digging, I found \
this:<br> <br>
<br>
<a href="http://msdn.microsoft.com/en-us/library/cc245803.aspx" \
target="_blank">http://msdn.microsoft.com/en-us/library/cc245803.aspx</a><u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Namely: If the RID of U's \
<strong> objectSid</strong> attribute value is less than 1000, an error MUST be \
returned.<u></u><u></u></p> </div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Could you please confirm that this \
is indeed the only restriction relevant to the case?<u></u><u></u></p> </div>
<p class="MsoNormal">Best Regards,<u></u><u></u></p>
</div>
<p class="MsoNormal">Nadezhda Ivanova<u></u><u></u></p>
</div>
</div></div></div>
</div>
</blockquote></div><br></div>
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic