[cifs-protocol] [REG:117121517332882] [MS-ADTS] dNSHostName's schemaIdGuid used for attributeSecurityGuid or rightsGUID in other attributes

Edgar Olougouna edgaro at microsoft.com
Fri Dec 15 21:07:53 UTC 2017 

Andrew,
I have noticed that the value of dNSHostName’s schemaIdGuid 72e39547-7b18-11d1-adef-00c04fd8d5cd is used as attributeSecurityGuid or rightsGUID in several other attributes, i.e. dNSHostName itself, msDSAdditionalDnsHostName, dNSHostNameAttributes, validatedDNSHostName.

The specs appear to match the source code. I am working to find out whether there is any explanation behind it.

dNSHostName
	schemaIdGuid: 72e39547-7b18-11d1-adef-00c04fd8d5cd
	attributeSecurityGuid: 72e39547-7b18-11d1-adef-00c04fd8d5cd
[DNS-Host-Name]
Common-Name=DNS-Host-Name
Schema-ID-GUID=\x72e395477b1811d1adef00c04fd8d5cd
Attribute-Security-GUID=\x72e395477b1811d1adef00c04fd8d5cd
[ms-DS-Additional-Dns-Host-Name]
Schema-Id-GUID=\x80863791DBE94eb8837E7F0AB55D9AC7
Attribute-Security-GUID=\x72e395477b1811d1adef00c04fd8d5cd
[DNS-Host-Name-Attributes]
rightsGUID=72e39547-7b18-11d1-adef-00c04fd8d5cd
[Validated-DNS-Host-Name]
rightsGUID=72e39547-7b18-11d1-adef-00c04fd8d5cd

Thanks,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Friday, December 15, 2017 3:05 PM
To: 'Andrew Bartlett' <abartlet at samba.org>; 'cifs-protocol at lists.samba.org' <cifs-protocol at lists.samba.org>
Cc: MSSolve Case Email <casemail at corp.microsoft.com>
Subject: RE: [REG:117121117297259] Missing and duplicate rightGuid values for Extended Rights

Andrew,

I have spent some time investigating this further and have split this in two cases. Please expect another email thread to address the second portion of your request. Please read through for a status update on the first portion.

SR 117121517332882 [MS-ADTS] dNSHostName's schemaIdGuid used for attributeSecurityGuid or rightsGUID in other attributes
Verbatim:
72E39547-7B18-11D1-ADEF-00C04FD8D5CD is documented as a rightsGuid for DNS-Host-Name Attributes and for Validated-DNS-Host-Name.
Can you please shed some light on what is going on here?

I will use the current SR 117121117297259 to focus on [MS-ADTS]: 3.1.1.2.3.3 Missing attributeSecurityGuid values not defined for property sets

My investigation so far showed that the following three values of attributeSecurityGuid are not listed in the table of property sets in [MS-ADTS] 3.1.1.2.3.3 Property Set https://msdn.microsoft.com/en-us/library/cc223204.aspx

I have filed a document bug and will let you as soon as I have an update.

Guid-1:

[MS-ADA1]
domainWidePolicy has:
attributeSecurityGuid: a29b89fd-c7e8-11d0-9bae-00c04fd92ef5
eFSPolicy has:
attributeSecurityGuid: a29b89fd-c7e8-11d0-9bae-00c04fd92ef5
[MS-ADA3]
publicKeyPolicy has:
attributeSecurityGuid: a29b89fd-c7e8-11d0-9bae-00c04fd92ef5

Guid-2:

[MS-ADA1]
domainPolicyReference has
attributeSecurityGuid: a29b89fe-c7e8-11d0-9bae-00c04fd92ef5
[MS-ADA2]
machinePasswordChangeInterval has
attributeSecurityGuid: a29b89fe-c7e8-11d0-9bae-00c04fd92ef5

Guid-3:

[MS-ADA1]
localPolicyReference has
attributeSecurityGuid: a29b8a01-c7e8-11d0-9bae-00c04fd92ef5
[MS-ADA2]
machineWidePolicy has
attributeSecurityGuid: a29b8a01-c7e8-11d0-9bae-00c04fd92ef5
[MS-ADA3]
qualityOfService has
attributeSecurityGuid: a29b8a01-c7e8-11d0-9bae-00c04fd92ef5

Thanks,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Monday, December 11, 2017 10:01 AM
To: Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email <casemail at corp.microsoft.com>
Subject: RE: [REG:117121117297259] Missing and duplicate rightGuid values for Extended Rights

Hello Andrew,
I will investigate this and follow-up once I have an update.

Thanks,
Edgar

-----Original Message-----
From: Bryan Burgin 
Sent: Sunday, December 10, 2017 9:48 PM
To: Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email <casemail at corp.microsoft.com>
Subject: [REG:117121117297259] Missing and duplicate rightGuid values for Extended Rights

[dochelp to bcc]
[+casemail]

Hi Andrew,

Thank you for your question.  We created SR 117121117297259 to track this issue. An engineer from the protocols team will contact you soon.

Bryan

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Sunday, December 10, 2017 4:09 PM
To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
Subject: Missing and duplicate rightGuid values for Extended Rights

While working to re-construct the validAccesses value that is not provides in MS-ATDS explicitly, I've been using the references elsewhere in the docs and cross-referencing things.

This has shown up some puzzling things.  I noticed that these GUIDs 

domainWidePolicy has:
attributeSecurityGuid: a29b89fd-c7e8-11d0-9bae-00c04fd92ef5

domainPolicyReference has
attributeSecurityGuid: a29b89fe-c7e8-11d0-9bae-00c04fd92ef5

localPolicyReference has
attributeSecurityGuid: a29b8a01-c7e8-11d0-9bae-00c04fd92ef5

However these are not listed in 3.1.1.2.3.3 Property Set

Also, 72E39547-7B18-11D1-ADEF-00C04FD8D5CD is documented as a rightsGuid for DNS Host Name Attributes and for Validated-DNS-Host- Name.

Can you please shed some light on what is going on here?


Thanks,

Andrew Bartlett


--
Andrew Bartlett
https://na01.safelinks.protection.outlook.com/?url=https:%2F%2Fsamba.org%2F~abartlet%2F&data=04%7C01%7Cdochelp%40windows.microsoft.com%7C7b016232190e47715e5308d5402b6c6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636485477621680836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=vmSag1YR50ixX5Wspi1tixMKNzYuepYd6vRSc7%2F44o4%3D&reserved=0
Authentication Developer, Samba Team         https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org&data=04%7C01%7Cdochelp%40windows.microsoft.com%7C7b016232190e47715e5308d5402b6c6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636485477621680836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=ZLQ9k3l8SdO%2Be9EWGa6KVqFKEv2hUdrftS7BZ87VqPc%3D&reserved=0
Samba Development and Support, Catalyst IT   
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=04%7C01%7Cdochelp%40windows.microsoft.com%7C7b016232190e47715e5308d5402b6c6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636485477621680836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=8IlllTcWecwvClCKBN1TsX09nU9fwT%2BVOyfBEyfvkww%3D&reserved=0

More information about the cifs-protocol mailing list