[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] Extended rights as LDIF, 117112017192160
From: Andrew Bartlett via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2017-12-14 1:53:35
Message-ID: 1513216415.29434.6.camel () samba ! org
[Download RAW message or body]
On Wed, 2017-12-13 at 22:35 +0000, Edgar Olougouna wrote:
> Andrew,
> Thank you for the feedback. I have passed on your suggestion to the AD product \
> group and the concerned people will review it. FYI, I noticed your LDF did not \
> include the following. Just passing along. This is not to guarantee or to give any \
> hint in one way or another of anything about a review outcome.
> dn: CN=DS-Validated-Write-Computer,CN=Extended-Rights,${CONFIGDN}
> changetype: ntdsSchemaAdd
> objectClass: controlAccessRight
> displayName: Validated write to computer attributes.
> rightsGuid: 9b026da6-0d3c-465c-8bee-5199d7165cba
> appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
> ShowInAdvancedViewOnly: TRUE
> validAccesses: 8
Thanks! You are correct, I should have mentioned that we are aligning
with 2012 in that particular LDIF (DS-Validated-Write-Computer is in
the 2016 adprep).
https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsS
erverDocs/identity/ad-ds/deploy/Schema-Updates.md#sch81ldf
I do notice that the infamous localizationDisplayId is omitted in this
newest right.
Thanks,
Andrew Bartlett
> Thanks,
> Edgar
>
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet@samba.org]
> Sent: Sunday, December 10, 2017 10:14 PM
> To: Garming Sam <garming@catalyst.net.nz>; Edgar Olougouna <edgaro@microsoft.com>
> Cc: cifs-protocol@lists.samba.org; MSSolve Case Email <casemail@corp.microsoft.com>
> Subject: Re: [cifs-protocol] Extended rights as LDIF, 117112017192160
>
> On Fri, 2017-12-08 at 15:10 +1300, Garming Sam wrote:
> > Hi Edgar,
> >
> > I've been looking at the usage of validAccesses a bit further and I
> > found some statements in MS-ADTS which mention its protocol relevance.
> > In particular I notice that there is a statement mentioning what
> > values it must have in the case for control access rights.
> >
> > [MS-ADTS] 5.1.3.2.1 Control Access Rights
> >
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.
> > microsoft.com%2Fen-us%2Flibrary%2Fcc223512.aspx&data=04%7C01%7Cedgaro%
> > 40microsoft.com%7C0c9ed40a3c0044ff674908d5404dad01%7C72f988bf86f141af9
> > 1ab2d7cd011db47%7C1%7C0%7C636485624717963137%7CUnknown%7CTWFpbGZsb3d8e
> > yJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata
> > =s4rYHpQ1rNbyFq0%2FAoHiWKb4JJF3i%2Bz4TF1ElIJ7KEU%3D&reserved=0
> >
> > "validAccesses: The type of access right bits in the ACCESS_MASK field
> > of an ACE with which the control access right can be associated. The
> > only permitted access right for control access rights is
> > RIGHT_DS_CONTROL_ACCESS (CR)."
> >
> > It appears that section 5.1.3 contains some of the information we were
> > seeking in regards to this attribute (and how the set of rights are
> > divided into the different classes). There also appears to be another
> > section on property sets which mentions which are under this category.
> > However the corresponding validAccesses value required for these
> > rights appears to only be mentioned in a non-normative document:
> >
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.
> > microsoft.com%2Fen-us%2Flibrary%2Fms675747(v%3Dvs.85).aspx&data=04%7C0
> > 1%7Cedgaro%40microsoft.com%7C0c9ed40a3c0044ff674908d5404dad01%7C72f988
> > bf86f141af91ab2d7cd011db47%7C1%7C0%7C636485624717963137%7CUnknown%7CTW
> > FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D
> > %7C-1&sdata=h4VcKRjUe0t%2BpnK%2BvSLkt8jYMDBDNjilZZ3rlVHgERA%3D&reserve
> > d=0
> >
> > Given the disparate set of information, it would be useful to have
> > validAccesses documented for each extended-right collected with the
> > other attributes given in 6.1.1.2.7 Extended Rights, and the reference
> > in 6.1.1.2.7.1 controlAccessRight objects removed which asserts that
> > the information is implementation specific. While a full set of
> > published ldif would be most helpful, getting the existing information
> > collated would be a definite improvement.
> >
>
> G'Day Edgar,
>
> Given the various bits of info above and in the public
> WindowsServerDocs github repo, we have constructed the attached. It
> isn't perfect, but it shows that this is actually essentially covered in the docs. \
>
> You mentioned on or last call that you are happy to take suggestions for improving \
> the docs, and this is certainly an area we would like improved. That is, we would \
> like to have something like this file provided, just as the Display Specifiers and \
> Schema have been provided, as LDIF.
> (As I'm sure you know for full interoperability our standard is that we need to be \
> able to have the full set of matching objects.)
> Otherwise, would it be possible to add a reference, informative or normative to \
> resources like: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftec \
> hnet.microsoft.com%2Flibrary%2Fdd378876.aspx&data=04%7C01%7Cedgaro%40microsoft.com%7 \
> C0c9ed40a3c0044ff674908d5404dad01%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63648 \
> 5624717963137%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik \
> 1haWwifQ%3D%3D%7C-1&sdata=FVxPJBZbWZMjaFlpvl6nQS3afZA8aSRbruCOiDA33BI%3D&reserved=0 \
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechnet.microsoft.c \
> om%2Fen-us%2Flibrary%2Fcc730930(v%3Dws.10).aspx&data=04%7C01%7Cedgaro%40microsoft.co \
> m%7C0c9ed40a3c0044ff674908d5404dad01%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63 \
> 6485624717963137%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI \
> 6Ik1haWwifQ%3D%3D%7C-1&sdata=C2Fc408N1f8LGwU%2FRJ%2BJ2ZhewlC9%2BmoAKX29F8c7%2F84%3D&reserved=0
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechnet.microsoft. \
> com%2Fen-us%2Flibrary%2Fdd378828(v%3Dws.10).aspx&data=04%7C01%7Cedgaro%40microsoft.c \
> om%7C0c9ed40a3c0044ff674908d5404dad01%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6 \
> 36485624717963137%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi \
> I6Ik1haWwifQ%3D%3D%7C-1&sdata=ArBJGLvEkPdR2BgLXkxI3NlJeB%2BUTgM7CwhMmMMdFto%3D&reserved=0
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.microsoft.com \
> %2Fen-us%2Flibrary%2Fms683985(v%3Dvs.85).aspx&data=04%7C01%7Cedgaro%40microsoft.com% \
> 7C0c9ed40a3c0044ff674908d5404dad01%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6364 \
> 85624717963137%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I \
> k1haWwifQ%3D%3D%7C-1&sdata=eh0kFuctCjR8a10gYg%2FoY7vZh6FXsXMMpmxvFKT4QfU%3D&reserved=0
>
> That would allow this existing content to be captured under the license for our \
> use, which would be very helpful.
> Thanks!
>
> Andrew Bartlett
>
>
> --
> Andrew Bartlett
> https://na01.safelinks.protection.outlook.com/?url=https:%2F%2Fsamba.org%2F~abartlet \
> %2F&data=04%7C01%7Cedgaro%40microsoft.com%7C0c9ed40a3c0044ff674908d5404dad01%7C72f98 \
> 8bf86f141af91ab2d7cd011db47%7C1%7C0%7C636485624717963137%7CUnknown%7CTWFpbGZsb3d8eyJ \
> WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=LZu3Y58vHJMFywyHiqZU8T3LuehLCajGzx8zI2nJkPw%3D&reserved=0
> Authentication Developer, Samba Team \
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org&data=04%7 \
> C01%7Cedgaro%40microsoft.com%7C0c9ed40a3c0044ff674908d5404dad01%7C72f988bf86f141af91 \
> ab2d7cd011db47%7C1%7C0%7C636485624717963137%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw \
> MDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=ElpX3eBcUUKVJitYZgTzuCz3%2BY5Mo4s8AHW%2BCP%2FzHDU%3D&reserved=0
> Samba Development and Support, Catalyst IT
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fs \
> ervices%2Fsamba&data=04%7C01%7Cedgaro%40microsoft.com%7C0c9ed40a3c0044ff674908d5404d \
> ad01%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636485624717963137%7CUnknown%7CTWF \
> pbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=B3noqVwgTgaEtBICSckDjfjDRku54hPnsf9THXOH5dQ%3D&reserved=0
>
>
>
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic