[cifs-protocol] 601115 - RE: LSA trusted domains enumeration (for n=0)

Richard Guthrie rguthrie at microsoft.com
Wed Aug 6 19:35:45 GMT 2008 

Andrew,

Thank you for pointing out this discrepancy in the documentation.  We have updated the MS-LSAD documentation for both LsarEnumerateTrustedDomains and LsarEnumerateTrustedDomainsEx.  This change will be released in a future version of the WSPP documentation set.  The respective updates are as follows:

-- Section 3.1.4.7.7 (LsarEnumerateTrustedDomainsEx (Opnum 50)), the message processing paragraph for EnumerationContext.

EnumerationContext: This is a special value that encodes a location at which to begin the enumeration. The server MUST always return all trusted domain objects in the same order. It is valid for the server to return an incomplete set of trusted domain objects in its policy database when this method is invoked. If the server decides not to return an entire set of trusted domain objects known to it when this method is invoked, it MUST set the EnumerationContext value to a value that it will later use to resume enumeration and return the status code STATUS_MORE_ENTRIES. If the enumeration is finished or there are no entries to be returned, the server MUST return the status code STATUS_NO_MORE_ENTRIES and set EnumerationContext to a value that indicates that the enumeration has been finished.


-- Section 3.1.4.7.8 (LsarEnumerateTrustedDomains (Opnum 13)), the message processing paragraph for EnumerationContext.

EnumerationContext: This is a value that allows the server to resume enumeration where it was last left off. The server MUST always return all trusted domain objects in the same order. The server is allowed to return an incomplete set of accounts in its policy database when this method is invoked. If the server does not return an entire set of accounts known to it when this method is invoked, it MUST set the EnumerationContext value to a value that would allow it to resume enumeration correctly when this method is called again, and return the status code STATUS_MORE_ENTRIES. If the enumeration is finished or there are no entries to be returned, the server MUST return the status code STATUS_NO_MORE_ENTRIES and set EnumerationContext to a number such that enumeration would not continue if the method was called again with that value of EnumerationContext. If the EnumerationContext supplied by the caller is such that enumeration cannot continue, the server MUST return STATUS_NO_MORE_ENTRIES.

Please let us know if there are any further questions.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted


-----Original Message-----
From: Richard Guthrie
Sent: Tuesday, July 22, 2008 8:34 AM
To: Andrew Bartlett
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: LSA trusted domains enumeration (for n=0)

Andrew,

I will be assisting you with your issue regarding section 3.1.4.7.8.  I wanted to clarify what you sent in your link, to ensure I am reading your question correctly.  It looks like you removed functionality that sets the return value to NT_STATUS_OK (I assume this maps to the enum value 0x00000000 STATUS_SUCCESS) because the correct response is to return 0x8000001A STATUS_NO_MORE_ENTRIES which it looks like you do down in line 1148.  I ask just to make sure as I need to get more familiar with your version control software and how to read the change logs.  Just for my own education if I click the link "source/rpc_server/lsa/dcesrv_lsa.c" on the page you sent, that would take me to the latest source , correct?

If this is correct, then to re-state your question, you are looking for the processing section in MS-LSAD 3.1.4.7.7 (this applies to LsarEnumerateTrustedDomainsEx also) and 3.1.4.7.8 to be updated to include the case where "the number of trusted domains equals 0".  You are looking for the documentation to show that STATUS_NO_MORE_ENTRIES is the correct return status in this case, is that correct?

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Sunday, July 20, 2008 9:10 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: LSA trusted domains enumeration (for n=0)

(resending with the correct title)

I'm looking for correction assistance in the form of improved documentation.

MS-LSAD 3.1.4.7.8 shows how to implement an enumeration call.  It does not however make it clear which error/success message to include in the
reply, for the '0 trusted domains' case.

See http://git.samba.org/?p=samba.git;a=commitdiff;h=40a55b34c2ce75267cf004dc4cfb8153c061e66b;hp=55bde3c9daeafdac04574365c23d181345639f34

I hope this can be clarified in the docs.

Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list