[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [EXTERNAL] Re: DirSync ACLs and Deleted Objects - TrackingID#2310230040015878
From: Obaid Farooqi via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2023-11-09 19:50:47
Message-ID: MN2PR21MB139017F4B6B56FC36A775D0CC6AFA () MN2PR21MB1390 ! namprd21 ! prod ! outlook ! com
[Download RAW message or body]
Hi Andrew:
Please pardon my error. Please forget everything I said in my previous emails on this \
subject
The behavior that you want documented is documented in MS-DRSR section \
“4.1.10.5.6 FilterAttribute”, as follows:
“
…
If LDAP_DIRSYNC_OBJECT_SECURITY is in dirSyncFlags, and the client does not have \
access rights to read the object, all the updates are filtered out except updates to \
the isDeleted and isRecycled attributes. …
“
It is also documented in pseudo code in the same section as follows:
===================
if not filtered then
/* If LDAP_DIRSYNC_OBJECT_SECURITY in dirSyncFlags, and the client does
not have access rights to read the object, all the updates are filtered
out except updates to isDeleted and isRecycled attributes. */
if LDAP_DIRSYNC_OBJECT_SECURITY in dirSyncFlags and
(AccessCheckObject(o, RIGHT_DS_LIST_OBJECT) = false or
AccessCheckObject(o.parent, RIGHT_DS_LIST_CONTENTS) = false) and
attribute ≠ isDeleted and
attribute ≠ isRecycled then
filtered := true
endif
endif
=====================
Please let me know if this does not answer your question.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
From: Andrew Bartlett <abartlet@samba.org>
Sent: Wednesday, November 8, 2023 11:31 PM
To: Obaid Farooqi <obaidf@microsoft.com>
Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>; Microsoft Support \
<supportmail@microsoft.com>
Subject: Re: [cifs-protocol] [EXTERNAL] Re: DirSync ACLs and Deleted Objects - \
TrackingID#2310230040015878
I think so. So is it:
IF (for each term)
dirSync per-object security mode
parent does not allow visibility (no specific requirement that this be due to \
CN=Deleted Objects) object and attributes are otherwise visible
Object is deleted or recycled
Deleted or recycled attribute has changed since last sync
Thanks,
Andrew Bartlett
On Thu, 2023-11-09 at 05:10 +0000, Obaid Farooqi via cifs-protocol wrote:
Hi Andrew:
Can you please let me know if the information I provided resolves your issue?
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
From: Obaid Farooqi
Sent: Tuesday, October 31, 2023 2:18 PM
To: Andrew Bartlett <abartlet@samba.org<mailto:abartlet@samba.org>>
Cc: cifs-protocol mailing list \
<cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>>; Microsoft \
Support <supportmail@microsoft.com<mailto:supportmail@microsoft.com>>
Subject: RE: [EXTERNAL] Re: DirSync ACLs and Deleted Objects - \
TrackingID#2310230040015878
Hi Andrew:
Here is the logic for returning deleted and/or recycled state:
1. dirSyn per-object security mode
2. parent does not allow visibility
3. Object is deleted or recycled
4. Deleted or recycled attribute has changed since last sync
If LDAP_DIRSYNC_OBJECT_SECURITY is specified and all conditions above are true and \
caller has asked for deleted and/or recycled, just return the state of the object.
The wording in the MS-ADTS for LDAP_DIRSYNC_OBJECT_SECURITY can also be made clearer. \
I’ll file a TDI to include above logic as well as clean up the existing \
wording. But before that, I want to know if the information above resolves your \
issue?
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
From: Andrew Bartlett <abartlet@samba.org<mailto:abartlet@samba.org>>
Sent: Sunday, October 29, 2023 1:29 PM
To: Obaid Farooqi <obaidf@microsoft.com<mailto:obaidf@microsoft.com>>
Cc: cifs-protocol mailing list \
<cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>>; Microsoft \
Support <supportmail@microsoft.com<mailto:supportmail@microsoft.com>>
Subject: [EXTERNAL] Re: DirSync ACLs and Deleted Objects - \
TrackingID#2310230040015878
Do you mean "whether an object is returned or not"?
Yes.
To expand further: In DirSync as described the behaviour is that a deleted object \
only returns the GUID and deletion state.
What I mean by a filter attack is that because not all Deleted objects are returned, \
only those that match the filter, we can work out if the object matched the filter by \
noting if it was returned (just a GUID and deletion state), or not (no object \
returned).
What I'm getting at is that it appears that the object ACLs, including list children, \
ACLs, are applied for other objects - we don't have an information leak for 'live' \
objects. But that isn't documented.
And there seems to be some special codepath (required to keep this protocol plausibly \
working) for Deleted objects, either for all deleted objects or a specific exemption \
for the CN=Deleted Objects SD.
Thanks so much for your assistance!
Andrew Bartlett
On Fri, 2023-10-27 at 19:29 +0000, Obaid Farooqi wrote:
Hi Andrew:
I'll help you with this issue.
I need a little clarification. I did not understand what you have in the following \
sentence between dashes:
"They are stripped of most information, but a filter attack (eg search for CN=a*) can \
be used to discover the values - an object is returned nor not - showing that the \
objects are readable in that context."
Do you mean "whether an object is returned or not"?
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Obaid Farooqi
Sent: Monday, October 23, 2023 5:18 PM
To: Andrew Bartlett <
<mailto:abartlet@samba.org>
abartlet@samba.org<mailto:abartlet@samba.org>
>
Cc: cifs-protocol mailing list <
<mailto:cifs-protocol@lists.samba.org>
cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>
> ; Microsoft Support <
<mailto:supportmail@microsoft.com>
supportmail@microsoft.com<mailto:supportmail@microsoft.com>
>
Subject: DirSync ACLs and Deleted Objects - TrackingID#2310230040015878
Hi Andrew:
Thanks for contacting Microsoft. I have created a case to track this issue. A member \
of the open specifications team will be in touch soon.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Andrew Bartlett <
<mailto:abartlet@samba.org>
abartlet@samba.org<mailto:abartlet@samba.org>
>
Sent: Monday, October 23, 2023 4:15 PM
To: cifs-protocol mailing list <
<mailto:cifs-protocol@lists.samba.org>
cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>
> ; Interoperability Documentation Help <
<mailto:dochelp@microsoft.com>
dochelp@microsoft.com<mailto:dochelp@microsoft.com>
>
Subject: [EXTERNAL] DirSync ACLs and Deleted Objects
Hi Dochelp,
MS-ADTS 3.1.1.3.4.1.3 LDAP_SERVER_DIRSYNC_OID describes LDAP_DIRSYNC_OBJECT_SECURITY \
as:
Windows Server 2003 operating system and later: If
this flag is present, the client can only view objects and attributes
that are otherwise accessible to the client. If this flag is not present, the
server checks if the client has access rights to read the changes in the NC.
Windows 2000 operating system: Not supported.
However, there is an exception. Objects that are deleted are returned, despite the \
ACL on CN=Deleted objects. They are stripped of most information, but a filter \
attack (eg search for CN=a*) can be used to discover the values - an object is \
returned nor not - showing that the objects are readable in that context.
MSRC has just closed my case (82978) as it was determined this issue doesn't cross \
any MSRC recognized security boundaries.
However, neither is this documented. There is nothing in the above reference nor in \
MS-DRSR 5.115.3 ProcessDirSyncSearchRequest that explains how ACLs are applied to \
DirSync in the normal case, nor the apparent exception for CN=Deleted Objects.
The reason I say 'apparent exception' is that, if the ACL that blocks 'list children' \
on CN=Deleted Objects were honoured, then:
bin/ldbsearch -H ldap://192.168.122.230 -Uandrew%password ou=spy2\*
--
controls=dirsync:1:1:0
Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it
# record 1
dn:
objectGUID: 0ae90a39-9fbe-4a77-8651-abefa1f1eace
isDeleted: TRUE
isRecycled: TRUE
Should not be able to return anything, and shouldn't indicate that an object known \
previously as spy2 existed.
From testing, it appears that only this special DN is excluded - if we have an object \
that is hidden because the parent denies 'List Children', then these don't show up. \
So, if we are going to get our DirSync behaviour more consistent, we would like to be \
sure of exactly what the rules are here.
Thanks,
Andrew Bartlett
--
Andrew Bartlett (he/him)
<https://samba.org/~abartlet/>
https://samba.org/~abartlet/
Samba Team Member (since 2001)
<https://samba.org/>
https://samba.org/
Samba Team Lead
<https://catalyst.net.nz/services/samba>
https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company
Samba Development and Support:
<https://catalyst.net.nz/services/samba>
https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org<https://samba.org/>
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
_______________________________________________
cifs-protocol mailing list
<mailto:cifs-protocol@lists.samba.org>
cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>
<https://lists.samba.org/mailman/listinfo/cifs-protocol>
https://lists.samba.org/mailman/listinfo/cifs-protocol
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org<https://samba.org/>
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-2022-jp">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:900096052;
mso-list-template-ids:-581276996;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:1535919489;
mso-list-type:hybrid;
mso-list-template-ids:1008732592 67698703 67698713 67698715 67698703 67698713 \
67698715 67698703 67698713 67698715;} @list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Hi \
Andrew:<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Please pardon my \
error. Please forget everything I said in my previous emails on this \
subject<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">The behavior that \
you want documented is documented in MS-DRSR section “4.1.10.5.6 \
FilterAttribute”, as follows:<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">“<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">…<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">If \
LDAP_DIRSYNC_OBJECT_SECURITY is in dirSyncFlags, and the client does not have access \
rights to read the object, all the updates are filtered out except updates to the \
isDeleted and isRecycled attributes.<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">…<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">“<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">It is also \
documented in pseudo code in the same section as follows:<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">===================<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">if not filtered \
then<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"> /* If \
LDAP_DIRSYNC_OBJECT_SECURITY in dirSyncFlags, and the client \
does<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"> \
not have access rights to read the object, all the updates are \
filtered<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"> \
out except updates to isDeleted and isRecycled attributes. */<o:p></o:p></span></p> \
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"> \
<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"> if \
LDAP_DIRSYNC_OBJECT_SECURITY in dirSyncFlags and<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"> \
(AccessCheckObject(o, RIGHT_DS_LIST_OBJECT) = false or<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"> \
AccessCheckObject(o.parent, RIGHT_DS_LIST_CONTENTS) = false) \
and<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"> \
attribute ≠ isDeleted and<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"> \
attribute ≠ isRecycled then<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"> \
filtered := true<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"> \
endif<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">endif<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">=====================<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Please let me know \
if this does not answer your question.<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span \
style="font-family:"Aptos",sans-serif">Regards,<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-family:"Aptos",sans-serif">Obaid \
Farooqi<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:"Aptos",sans-serif">Escalation Engineer | \
Microsoft<o:p></o:p></span></p> </div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Andrew Bartlett <abartlet@samba.org> <br>
<b>Sent:</b> Wednesday, November 8, 2023 11:31 PM<br>
<b>To:</b> Obaid Farooqi <obaidf@microsoft.com><br>
<b>Cc:</b> cifs-protocol mailing list <cifs-protocol@lists.samba.org>; \
Microsoft Support <supportmail@microsoft.com><br> <b>Subject:</b> Re: \
[cifs-protocol] [EXTERNAL] Re: DirSync ACLs and Deleted Objects - \
TrackingID#2310230040015878<o:p></o:p></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">I think so. \
So is it:<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">IF (for each \
term)<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">dirSync per-object \
security mode<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">parent does not \
allow visibility (no specific requirement that this be due to CN=Deleted \
Objects)<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><b><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">object and \
attributes are otherwise visible</span></b><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Object is deleted \
or recycled<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Deleted or recycled \
attribute has changed since last sync<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"> Thanks,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Andrew \
Bartlett<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">On Thu, 2023-11-09 \
at 05:10 +0000, Obaid Farooqi via cifs-protocol wrote:<o:p></o:p></span></p> </div>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-right:0in"> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Hi \
Andrew:<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Can you please let \
me know if the information I provided resolves your issue?<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span \
style="font-family:"Aptos",sans-serif">Regards,<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-family:"Aptos",sans-serif">Obaid \
Farooqi<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:"Aptos",sans-serif">Escalation Engineer | \
Microsoft<o:p></o:p></span></p> </div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Obaid Farooqi <br>
<b>Sent:</b> Tuesday, October 31, 2023 2:18 PM<br>
<b>To:</b> Andrew Bartlett <<a \
href="mailto:abartlet@samba.org">abartlet@samba.org</a>><br> <b>Cc:</b> \
cifs-protocol mailing list <<a \
href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>>; \
Microsoft Support <<a \
href="mailto:supportmail@microsoft.com">supportmail@microsoft.com</a>><br> \
<b>Subject:</b> RE: [EXTERNAL] Re: DirSync ACLs and Deleted Objects - \
TrackingID#2310230040015878<o:p></o:p></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Hi \
Andrew:<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Here is the logic \
for returning deleted and/or recycled state:<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo3"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">dirSyn per-object \
security mode<o:p></o:p></span></li><li class="MsoListParagraph" \
style="margin-left:0in;mso-list:l1 level1 lfo3"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">parent does not \
allow visibility<o:p></o:p></span></li><li class="MsoListParagraph" \
style="margin-left:0in;mso-list:l1 level1 lfo3"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Object is deleted \
or recycled<o:p></o:p></span></li><li class="MsoListParagraph" \
style="margin-left:0in;mso-list:l1 level1 lfo3"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Deleted or recycled \
attribute has changed since last sync<o:p></o:p></span></li></ol> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">If \
LDAP_DIRSYNC_OBJECT_SECURITY is specified and all conditions above are true and \
caller has asked for deleted and/or recycled, just return the state of the \
object.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">The wording in the \
MS-ADTS for LDAP_DIRSYNC_OBJECT_SECURITY can also be made clearer. I’ll file a \
TDI to include above logic as well as clean up the existing wording. But before \
that, I want to know if the information above resolves your \
issue?<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span \
style="font-family:"Aptos",sans-serif">Regards,<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-family:"Aptos",sans-serif">Obaid \
Farooqi<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:"Aptos",sans-serif">Escalation Engineer | \
Microsoft<o:p></o:p></span></p> </div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Andrew Bartlett <<a \
href="mailto:abartlet@samba.org">abartlet@samba.org</a>> <br>
<b>Sent:</b> Sunday, October 29, 2023 1:29 PM<br>
<b>To:</b> Obaid Farooqi <<a \
href="mailto:obaidf@microsoft.com">obaidf@microsoft.com</a>><br> <b>Cc:</b> \
cifs-protocol mailing list <<a \
href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>>; \
Microsoft Support <<a \
href="mailto:supportmail@microsoft.com">supportmail@microsoft.com</a>><br> \
<b>Subject:</b> [EXTERNAL] Re: DirSync ACLs and Deleted Objects - \
TrackingID#2310230040015878<o:p></o:p></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-right:0in"> <pre>Do you mean "whether an object \
is returned or not"?<o:p></o:p></pre> </blockquote>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Yes.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">To expand further: In DirSync as described the behaviour is that \
a deleted object only returns the GUID and deletion state.<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">What I mean by a filter attack is that because not all Deleted \
objects are returned, only those that match the filter, we can work out if the object \
matched the filter by noting if it was returned (just a GUID and deletion state), or \
not (no object returned).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">What I'm getting at is that it appears that the object ACLs, \
including list children, ACLs, are applied for other objects - we don't have an \
information leak for 'live' objects. But that isn't documented.<o:p></o:p></p> \
</div> <div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">And there seems to be some special codepath (required to keep \
this protocol plausibly working) for Deleted objects, either for all deleted objects \
or a specific exemption for the CN=Deleted Objects SD. <o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks so much for your assistance!<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Andrew Bartlett<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On Fri, 2023-10-27 at 19:29 +0000, Obaid Farooqi \
wrote:<o:p></o:p></p> </div>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-right:0in"> <pre>Hi Andrew:<o:p></o:p></pre>
<pre>I'll help you with this issue.<o:p></o:p></pre>
<pre>I need a little clarification. I did not understand what you have in the \
following sentence between dashes:<o:p></o:p></pre> <pre>"They are stripped of \
most information, but a filter attack (eg search for CN=a*) can be used to discover \
the values - an object is returned nor not - showing that the objects are readable in \
that context."<o:p></o:p></pre> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Do you mean "whether an object is returned or not"?<o:p></o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Regards,<o:p></o:p></pre>
<pre>Obaid Farooqi<o:p></o:p></pre>
<pre>Escalation Engineer | Microsoft<o:p></o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>-----Original Message-----<o:p></o:p></pre>
<pre>From: Obaid Farooqi<o:p></o:p></pre>
<pre>Sent: Monday, October 23, 2023 5:18 PM<o:p></o:p></pre>
<pre>To: Andrew Bartlett <<o:p></o:p></pre>
<p class="MsoNormal"><u><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:blue"><a \
href="mailto:abartlet@samba.org"><o:p></o:p></a></span></u></p> <pre><u><span \
style="color:blue"><a href="mailto:abartlet@samba.org">abartlet@samba.org<span \
style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u></pre> \
<p class="MsoNormal"><span class="MsoHyperlink"><o:p><span \
style="text-decoration:none"> </span></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <pre>><o:p> </o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Cc: cifs-protocol mailing list <<o:p></o:p></pre>
<p class="MsoNormal"><u><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:blue"><a \
href="mailto:cifs-protocol@lists.samba.org"><o:p></o:p></a></span></u></p> \
<pre><u><span style="color:blue"><a \
href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org<span \
style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u></pre> \
<p class="MsoNormal"><span class="MsoHyperlink"><o:p><span \
style="text-decoration:none"> </span></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <pre>>; Microsoft Support \
<<o:p></o:p></pre> <p class="MsoNormal"><u><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:blue"><a \
href="mailto:supportmail@microsoft.com"><o:p></o:p></a></span></u></p> <pre><u><span \
style="color:blue"><a \
href="mailto:supportmail@microsoft.com">supportmail@microsoft.com<span \
style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u></pre> \
<p class="MsoNormal"><span class="MsoHyperlink"><o:p><span \
style="text-decoration:none"> </span></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <pre>><o:p> </o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Subject: DirSync ACLs and Deleted Objects - \
TrackingID#2310230040015878<o:p></o:p></pre> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Hi Andrew:<o:p></o:p></pre>
<pre>Thanks for contacting Microsoft. I have created a case to track this issue. A \
member of the open specifications team will be in touch soon.<o:p></o:p></pre> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Regards,<o:p></o:p></pre>
<pre>Obaid Farooqi<o:p></o:p></pre>
<pre>Escalation Engineer | Microsoft<o:p></o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>-----Original Message-----<o:p></o:p></pre>
<pre>From: Andrew Bartlett <<o:p></o:p></pre>
<p class="MsoNormal"><u><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:blue"><a \
href="mailto:abartlet@samba.org"><o:p></o:p></a></span></u></p> <pre><u><span \
style="color:blue"><a href="mailto:abartlet@samba.org">abartlet@samba.org<span \
style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u></pre> \
<p class="MsoNormal"><span class="MsoHyperlink"><o:p><span \
style="text-decoration:none"> </span></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <pre>><o:p> </o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Sent: Monday, October 23, 2023 4:15 PM<o:p></o:p></pre>
<pre>To: cifs-protocol mailing list <<o:p></o:p></pre>
<p class="MsoNormal"><u><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:blue"><a \
href="mailto:cifs-protocol@lists.samba.org"><o:p></o:p></a></span></u></p> \
<pre><u><span style="color:blue"><a \
href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org<span \
style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u></pre> \
<p class="MsoNormal"><span class="MsoHyperlink"><o:p><span \
style="text-decoration:none"> </span></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <pre>>; Interoperability Documentation \
Help <<o:p></o:p></pre> <p class="MsoNormal"><u><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:blue"><a \
href="mailto:dochelp@microsoft.com"><o:p></o:p></a></span></u></p> <pre><u><span \
style="color:blue"><a href="mailto:dochelp@microsoft.com">dochelp@microsoft.com<span \
style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u></pre> \
<p class="MsoNormal"><span class="MsoHyperlink"><o:p><span \
style="text-decoration:none"> </span></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <pre>><o:p> </o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Subject: [EXTERNAL] DirSync ACLs and Deleted Objects<o:p></o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Hi Dochelp,<o:p></o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>MS-ADTS 3.1.1.3.4.1.3 LDAP_SERVER_DIRSYNC_OID describes \
LDAP_DIRSYNC_OBJECT_SECURITY as:<o:p></o:p></pre> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Windows Server 2003 operating system and later: If<o:p></o:p></pre>
<pre> this flag is present, the client can only view objects and \
attributes<o:p></o:p></pre> <pre> that are otherwise accessible to the client. \
If this flag is not present, the<o:p></o:p></pre> <pre> server checks if the \
client has access rights to read the changes in the NC.<o:p></o:p></pre> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre> Windows 2000 operating system: Not supported.<o:p></o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>However, there is an exception. Objects that are deleted are returned, \
despite the ACL on CN=Deleted objects. They are stripped of most information, \
but a filter attack (eg search for CN=a*) can be used to discover the values - an \
object is returned nor not - showing that the objects are readable in that \
context.<o:p></o:p></pre> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>MSRC has just closed my case (82978) as it was determined this issue doesn't \
cross any MSRC recognized security boundaries.<o:p></o:p></pre> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>However, neither is this documented. There is nothing in the above \
reference nor in MS-DRSR 5.115.3 ProcessDirSyncSearchRequest that explains how ACLs \
are applied to DirSync in the normal case, nor the apparent exception for CN=Deleted \
Objects.<o:p></o:p></pre> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>The reason I say 'apparent exception' is that, if the ACL that blocks 'list \
children' on CN=Deleted Objects were honoured, then:<o:p></o:p></pre> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>bin/ldbsearch -H ldap://192.168.122.230 -Uandrew%password \
ou=spy2\*<o:p></o:p></pre> <pre>--<o:p></o:p></pre>
<pre>controls=dirsync:1:1:0<o:p></o:p></pre>
<pre>Can't load /usr/local/samba/etc/smb.conf - run testparm to debug \
it<o:p></o:p></pre> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre># record 1<o:p></o:p></pre>
<pre>dn:<o:p></o:p></pre>
<pre>objectGUID: 0ae90a39-9fbe-4a77-8651-abefa1f1eace<o:p></o:p></pre>
<pre>isDeleted: TRUE<o:p></o:p></pre>
<pre>isRecycled: TRUE<o:p></o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Should not be able to return anything, and shouldn't indicate that an object \
known previously as spy2 existed.<o:p></o:p></pre> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>From testing, it appears that only this special DN is excluded - if we have an \
object that is hidden because the parent denies 'List Children', then these don't \
show up. So, if we are going to get our DirSync behaviour more consistent, we \
would like to be sure of exactly what the rules are here.<o:p></o:p></pre> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Thanks,<o:p></o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Andrew Bartlett<o:p></o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>--<o:p></o:p></pre>
<pre>Andrew Bartlett (he/him) <o:p></o:p></pre>
<p class="MsoNormal"><u><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:blue"><a \
href="https://samba.org/~abartlet/"><o:p></o:p></a></span></u></p> <pre><u><span \
style="color:blue"><a \
href="https://samba.org/~abartlet/">https://samba.org/~abartlet/<span \
style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u></pre> \
<p class="MsoNormal"><span class="MsoHyperlink"><o:p><span \
style="text-decoration:none"> </span></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Samba Team Member (since 2001) <o:p></o:p></pre>
<p class="MsoNormal"><u><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:blue"><a \
href="https://samba.org/"><o:p></o:p></a></span></u></p> <pre><u><span \
style="color:blue"><a href="https://samba.org/">https://samba.org/<span \
style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u></pre> \
<p class="MsoNormal"><span class="MsoHyperlink"><o:p><span \
style="text-decoration:none"> </span></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Samba Team Lead \
<o:p></o:p></pre> <p class="MsoNormal"><u><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:blue"><a \
href="https://catalyst.net.nz/services/samba"><o:p></o:p></a></span></u></p> \
<pre><u><span style="color:blue"><a \
href="https://catalyst.net.nz/services/samba">https://catalyst.net.nz/services/samba<span \
style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u></pre> \
<p class="MsoNormal"><span class="MsoHyperlink"><o:p><span \
style="text-decoration:none"> </span></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Catalyst.Net Ltd<o:p></o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group \
company<o:p></o:p></pre> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Samba Development and Support: <o:p></o:p></pre>
<p class="MsoNormal"><u><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:blue"><a \
href="https://catalyst.net.nz/services/samba"><o:p></o:p></a></span></u></p> \
<pre><u><span style="color:blue"><a \
href="https://catalyst.net.nz/services/samba">https://catalyst.net.nz/services/samba<span \
style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u></pre> \
<p class="MsoNormal"><span class="MsoHyperlink"><o:p><span \
style="text-decoration:none"> </span></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre>Catalyst IT - Expert Open Source Solutions<o:p></o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
</blockquote>
<div>
<pre>-- <o:p></o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal">Andrew Bartlett \
(he/him) <a \
href="https://samba.org/~abartlet/">https://samba.org/~abartlet/</a><o:p></o:p></p> \
</div> <div>
<p class="MsoNormal">Samba Team Member (since 2001) <a href="https://samba.org/">
https://samba.org</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Team \
Lead <a \
href="https://catalyst.net.nz/services/samba">https://catalyst.net.nz/services/samba</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Catalyst.Net Ltd<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT \
group company<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Development and Support: <a \
href="https://catalyst.net.nz/services/samba"> \
https://catalyst.net.nz/services/samba</a><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Catalyst IT - Expert Open Source Solutions<o:p></o:p></p>
</div>
</div>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>cifs-protocol mailing list<o:p></o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><a \
href="mailto:cifs-protocol@lists.samba.org"><o:p></o:p></a></span></p> <pre><u><span \
style="color:blue"><a \
href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org<span \
style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u></pre> \
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre><o:p> </o:p></pre>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><a \
href="https://lists.samba.org/mailman/listinfo/cifs-protocol"><o:p></o:p></a></span></p>
<pre><u><span style="color:blue"><a \
href="https://lists.samba.org/mailman/listinfo/cifs-protocol">https://lists.samba.org/mailman/listinfo/cifs-protocol<span \
style="color:windowtext;text-decoration:none"><o:p></o:p></span></a></span></u></pre> \
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
<pre><o:p> </o:p></pre>
</blockquote>
<div>
<pre>-- <o:p></o:p></pre>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Andrew Bartlett \
(he/him) <a \
href="https://samba.org/~abartlet/">https://samba.org/~abartlet/</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Samba Team Member \
(since 2001) <a href="https://samba.org/">https://samba.org</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Samba Team \
Lead <a \
href="https://catalyst.net.nz/services/samba">https://catalyst.net.nz/services/samba</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Catalyst.Net \
Ltd<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Proudly developing \
Samba for Catalyst.Net Ltd - a Catalyst IT group company<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Samba Development \
and Support: <a href="https://catalyst.net.nz/services/samba">https://catalyst.net.nz/services/samba</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif">Catalyst IT - \
Expert Open Source Solutions<o:p></o:p></span></p> </div>
</div>
</div>
</body>
</html>
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
--===============6350744105839341683==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic