[cifs-protocol] [REG:118111319335501] Linked attributes in AD claims objects sent as plain DNs

Edgar Olougouna edgaro at microsoft.com
Wed Nov 21 07:08:03 UTC 2018 

This is generic and not specific to a partition. pObjects is for updates to object name/attributes. There should be a one-to-one correspondence between remote attributes and meta data for those attributes. rgValues is for value changes. If the meta data shows a value change then that value should in the rgValues list. The sender can’t just send one or the other, it depends on what modification was made to the directory.

Here are some relevant references.
MS-DRSR
4.1.10.6.1	ProcessGetNCChangesReply
	/* Process object updates. */
	replEntinfList := msgReplyNative.pObjects^
	. . .
	  if continueProcessing and (ulResult = 0) then
	    if (not ObjExists(replEntinfList.Entinf.pName^)) then
	      ulResult := AddObject(
	                    replEntinfList, 
	                    sourcePrefixTable,
	                    attributesAndStamps)
	    else
	      ulResult := UpdateObject(
	                    replEntinfList, 
	                    sourcePrefixTable,
	                    attributesAndStamps)
	. . .
	/* Process link value updates. */
	linkValueCount := 0
	while (ulResult = 0) and (linkValueCount < msgReplyNative.cNumValues)
	  ulResult := ProcessLinkValue(
	                msgReplyNative.rgValues[linkValueCount],

4.1.10.6.10	UpdateObject
AttributeStampCompare()

4.1.10.6.14	ProcessLinkValue
LinkValueStampCompare()

5.53	ENTINF
5.162	REPLENTINFLIST
5.167	REPLVALINF_V1

Thanks,
Edgar

-----Original Message-----
From: Edgar Olougouna <edgaro at microsoft.com> 
Sent: Monday, November 12, 2018 10:34 PM
To: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Cc: MSSolve Case Email <casemail at microsoft.com>; cifs-protocol at lists.samba.org
Subject: [REG:118111319335501] Linked attributes in AD claims objects sent as plain DNs

[case number in subject, cc casemail, bcc dochelp] Hello Aaron and Garming, Thank you for this question. We have created the protocol support case number 118111319335501 for this inquiry. One of our engineers will investigate and follow-up soon.

Regards,
Edgar

-----Original Message-----
From: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Sent: Monday, November 12, 2018 9:28 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: Linked attributes in AD claims objects sent as plain DNs

Hi,

In Windows 2012R2 active directory, objects related to claims in the configuration partition such as:

CN=Global Resource Property List,CN=Resource Property Lists,CN=Claims Configuration,CN=Services,CN=Configuration,DC=X

When sent over DRS replication, attributes such as "msDS-MembersOfResourcePropertyList" which are defined as linked attributes in the schema (linkID non-zero), should be returned in the "rgValues" field in the DRS_MSG_GETCHGREPLY_V6 defined in MS-DRSR:4.1.10.2.12, but are instead returned as normal object attributes in field "pObjects".

Samba relies on receiving linked attributes in the specified format, and our code's assumptions are broken by current Windows behaviour. We want to know:

1. Are these objects a special case during provision of a domain controller? Do further modifications change the format Windows returns, and are these changes persistent?

2. Are these objects a special case generally, throughout Active Directory functionality, and therefore need special handling?

3. If these require special handling, is the required behaviour documented somewhere? The behaviour has some similarity to Windows 2000-level linked attributes, but these objects were introduced in
2012R2 specifically.

Thanks,

Aaron H and Garming S

More information about the cifs-protocol mailing list