[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [REG:116031413826715] Virtual List View with timestamps (syntax 2.5.5.11).
From: Sreekanth Nadendla <srenaden () microsoft ! com>
Date: 2016-04-04 14:46:01
Message-ID: BY2PR0301MB165679B8D54AD27863EBFF70C59D0 () BY2PR0301MB1656 ! namprd03 ! prod ! outlook ! com
[Download RAW message or body]
Hello Douglas,
For the moment, instead of setting up samba server, we will be collecting unencrypted \
network trace, Time travel trace of lsass.exe process from the windows domain \
controller for investigation. You should have received an e-mail from "CTS automated \
diagnostics Service" ctsadiag@microsoft.com with the details of the workspace to \
exchange data/tools with us.
Please download TTT_x86_x64_External.zip from the workspace created for you.
Assuming your Windows 2012+ AD is X64, extract and place the "X64" folder from the \
zip file somewhere on C:\drive to collect X64 time travel trace. Otherwise you will \
use "X86" folder from the zip file.
Basically we will be collecting network trace to view over the wire LDAP request and \
Time travel trace of lsass process from the windows DC to see how the search/sorting \
actually executed for investigation.
Since you are familiar with network trace collection, I will just state the basic \
procedure for collecting time travel trace.
Open Task manager on the domain controller , go to details tab, find the process \
lsass.exe and note PID number i.e. process ID.
Launch a command prompt with **admin** privilege and move to the folder where you've \
placed TTT tool (i.e. X64 or X86 folder as appropriate). Execute TTTracer.exe \
-dumpFull -attach <pid_number_of_lsass> Wait for a minute or two until you see a \
small dialog with a check box "Tracing on" checked. i.e. it shows your lsass.exe \
process being traced.
Start network trace capture.
Now reproduce your issue.
Stop network trace capture.
Uncheck the "tracing on" check box to stop tracing. It should create two files named \
lsass01.run and lsass01.out.
Upload the network trace, time travel trace i.e. lsass01.run, lsass01.out.
PS: Please keep traffic on your test AD to absolute minimum as these traces grow very \
quickly and also to avoid noise. Also ensure that the LDAP Requests are not \
encrypted.
Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications
-----Original Message-----
From: Douglas Bagnall [mailto:douglas.bagnall@catalyst.net.nz]
Sent: Thursday, March 31, 2016 6:54 PM
To: Sreekanth Nadendla
Cc: MSSolve Case Email; cifs-protocol@lists.samba.org
Subject: Re: [REG:116031413826715] [cifs-protocol] Virtual List View with timestamps \
(syntax 2.5.5.11).
hi Sreekanth,
I am not able to reproduce the problem using LDP because it doesn't give me enough \
control over the VLV control (or at least, I can't find it and/or don't know the \
syntax).
I have narrowed down a test case with three users (get-aduser output):
DistinguishedName :
CN=vlvtest0,OU=vlv,DC=win2012r2,DC=douglasb,DC=wgtn,DC=cat-it,DC=co,DC=nz
Enabled : False
GivenName : a
msTSExpireDate4 : 1/1/1900 2:00:00 PM
Name : vlvtest0
ObjectClass : user
ObjectGUID : 5b0e5905-a28b-4433-97fd-3555bfeaa14e
SamAccountName : $25H600-98JP8L270V9A
SID : S-1-5-21-1006928648-2256676121-1790150887-214178
Surname :
UserPrincipalName :
DistinguishedName :
CN=vlvtest1,OU=vlv,DC=win2012r2,DC=douglasb,DC=wgtn,DC=cat-it,DC=co,DC=nz
Enabled : False
GivenName : b
msTSExpireDate4 : 1/1/1901 2:00:00 PM
Name : vlvtest1
ObjectClass : user
ObjectGUID : 74f695e9-5351-4837-8015-31c47cddd3cf
SamAccountName : $35H600-3TA35RNP01BM
SID : S-1-5-21-1006928648-2256676121-1790150887-214179
Surname :
UserPrincipalName :
DistinguishedName :
CN=vlvtest2,OU=vlv,DC=win2012r2,DC=douglasb,DC=wgtn,DC=cat-it,DC=co,DC=nz
Enabled : False
GivenName : c
msTSExpireDate4 : 1/1/1902 2:00:00 PM
Name : vlvtest2
ObjectClass : user
ObjectGUID : c7e6b84f-725e-4a66-b5ec-92a6a31117c6
SamAccountName : $45H600-A7ARQDME0VCC
SID : S-1-5-21-1006928648-2256676121-1790150887-214180
Surname :
UserPrincipalName :
In LDAP, those dates are respectively formatted as "19000101010000.0Z", \
"19010101010000.0Z", and "19020101010000.0Z".
I search in the base
"OU=vlv,DC=win2012r2,DC=douglasb,DC=wgtn,DC=cat-it,DC=co,DC=nz"
with no filter.
The server_sort control sorts on msTSExpireDate4, not reversed.
The VLV control is set to find items with msTSExpireDate4 >= 20770510223856.0Z, and \
the before and after counts are set to zero.
Both controls are marked critical.
When the VLV is set to >= 20770510223856.0Z, the first result
(vlvtest0 with msTSExpireDate4 == 19000101010000.0Z) is returned.
When the VLV is set to >= 20770510223855.0Z (one second earlier), no results are \
returned, as would be expected.
My tests are derived from the Samba test suite. I am happy to share them, but you \
will need a Samba environment to make them work.
We have checked in Wireshark that the requests and responses are indeed travelling \
over the wire.
cheers,
Douglas
> Hello Douglas, I've used the following parameters from within the built-in tool LDP \
> (launched by LDP.exe). I could not reproduce the issue.
> Ldap SearchFilter =
> "(&(objectClass=user)(msTSExpireDate2>=19991231211234.0Z))";
>
> attribs Requested = { "cn", "msTSExpireDate4" };
>
> Target value for the VLV search request
> string valueToSearch = "*";
>
> SortKeys used "msTSExpireDate4"
>
> Perhaps you could perform the Virtual List View search with sorting on \
> msTSExpireDate4 the same way via LDP.exe and confirm if the issue reproduces at \
> your end ?
> If it does, then may be you can provide me the output of following powershell query \
> on your test domain controller so that I can create user accounts similarly and set \
> the values for msTSExpireDate4 to reproduce the issue.
> get-aduser -filter * -properties msTSExpireDate4
>
>
> Regards,
> Sreekanth
> Nadendla30:19:02:01:00:02:01:00:81:11:32:30:37:37:30:35:31:30:32:32:33
> > 38:35:36:2e:30:5a
> Microsoft Windows Open Specifications
>
> -----Original Message-----
> From: Sreekanth Nadendla
> Sent: Wednesday, March 30, 2016 10:55 AM
> To: 'Douglas Bagnall'
> Cc: MSSolve Case Email
> Subject: RE: [REG:116031413826715] [cifs-protocol] Virtual List View with \
> timestamps (syntax 2.5.5.11).
> Hello Douglas, I have attempted to reproduce the issue but I am having difficulty \
> in getting the same behavior. Initially I thought I would have to have the TS \
> sessions and to avoid the setup, I've used other attributes of same data type but \
> then I've realized that I could just create several users and simply set the values \
> for msTSExpireDate4 for each of those users via user Properties tab in "Active \
> Directory Users and Computers".
>
> If you could send me the following details from your test code, I would have almost \
> identical setup that I can use to reproduce the issue.
> ldapSearchFilter,
> valueToSearch,
> Contents of array of attribute names to be passed to the SearchRequest
> and the attribute passed to the sortRequest
>
> If you run the following powershell command, it will show the
> datetimestamp values for each user that I can use in my test
> get-aduser -filter * -properties msTSExpireDate4
>
> Also I'm just curious how you are testing this at your end. Are you using .Net \
> VlvRequestControl (https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2f \
> msdn.microsoft.com%2fen-us%2flibrary%2fbb332056.aspx&data=01%7c01%7csrenaden%40micro \
> soft.com%7cb2002bc5381b4b4752b908d359b7535b%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=diLEACx8lcTd2c7Jt0s%2bC9kAMLr4utFq4fSFtWt4LQE%3d) \
> ?
>
>
> Regards,
> Sreekanth Nadendla
> Microsoft Windows Open Specifications
>
> -----Original Message-----
> From: Sreekanth Nadendla
> Sent: Tuesday, March 15, 2016 10:03 AM
> To: Douglas Bagnall
> Cc: cifs-protocol@lists.samba.org; MSSolve Case Email
> Subject: [REG:116031413826715] [cifs-protocol] Virtual List View with timestamps \
> (syntax 2.5.5.11).
> Hello Douglas, I will be assisting you with your question. I am currently \
> researching the problem and will provide you with an update soon. Thank you for \
> your patience.
>
> Regards,
> Sreekanth Nadendla
> Microsoft Windows Open Specifications
>
>
> -----Original Message-----
> From: Douglas Bagnall [mailto:douglas.bagnall@catalyst.net.nz]
> Sent: Monday, March 14, 2016 4:23 PM
> To: Interoperability Documentation Help <dochelp@microsoft.com>
> Cc: cifs-protocol@lists.samba.org
> Subject: Re: [cifs-protocol] Virtual List View with timestamps (syntax 2.5.5.11).
>
> I wrote:
> > hi Dochelp,
> >
> > When I search Windows 2012R2 Active Directory with VLV, I get a
> > strange result with "greater than or equal" queries on attributes
> > with syntax
> > 2.5.5.11 (for example msTSExpireDate4). If the search values is
> > greater than any of the attribute values, AD returns values from the
> > beginning of the sorted list rather than the empty list that it does
> > for other syntaxes.
> >
> > Supposing there are three user objects with msTSExpireDate4 set to
> > '19000101010000.0Z', '19010101010000.0Z', and '19020101010000.0Z'
> > (the years are incrementing).
>
> Sorry, I can't reproduce this with just 3 objects. It occurs with 30 objects, but I \
> was trying to simplify for the sake of communication without actually testing the \
> simplified version.
> Douglas
>
> > A VLV search with the following parameters:
> >
> > attr: msTSExpireDate4
> > before: 0
> > after: 0
> > greater than or equal: 19991231211234.0Z
> >
> > returns ['19000101010000.0Z'] -- that is the first value. A similar
> > search using an attribute with a different syntax will return an empty list.
> >
> > I can't find any reference to this in the documentation, and it seems
> > to differ from the RFCs. Does this behaviour have a purpose?
> >
> > cheers,
> > Douglas
> >
> > _______________________________________________
> > cifs-protocol mailing list
> > cifs-protocol@lists.samba.org
> > https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2flist
> > s.samba.org%2fmailman%2flistinfo%2fcifs-protocol&data=01%7c01%7csrena
> > den%40microsoft.com%7cb2002bc5381b4b4752b908d359b7535b%7c72f988bf86f1
> > 41af91ab2d7cd011db47%7c1&sdata=pd44oigijBo9%2fwwRNoMVzsLMEyHcye3d1aR5
> > 7vn%2bBKM%3d
> >
>
>
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic