[cifs-protocol] RE: Mapping of MS-LSAD onto LDAP and DRS replications

Andrew Bartlett abartlet at samba.org
Thu Jul 17 22:34:27 GMT 2008

On Thu, 2008-07-17 at 08:20 -0700, Richard Guthrie wrote:
> Andrew,
> I think I have some answers for you but I wanted to clarify the
> question first.  As I understand it, you are looking to get
> information on how objects sync’ed via Directory Replication Services
> (DRS) look to a receiving application, what is their layout, how are
> they exposed to the application that has requested the sync via a
> mechanism like IDL_DRSGetNCChanges in the DRSUAPI interface (MS-DRSR)
> with respect to privledge and access control structures.  For example,
> if one were to replicate permissions or privledges between two domain
> controllers, what would that permissions object look like to the
> receiving domain controller and what would an application like the
> Local Security Authority (LSA) running on a domain controller see, how
> would it access them.   Is this a correct interpretation of what you
> are looking for?

Pretty much.  As I said, the SAMR documentation does a pretty good job
of defining the operation of the server into the attributes it uses,
where the LSA document describes only an abstract store.   

The background is that I need to correct our LSA implementation to use a
compatible storage of privileges (in particular), so that if a privilege
is set on a Microsoft DC, that I can read it after replicating it using
DRS to a Samba DC. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080718/d406f2bf/attachment.bin

More information about the cifs-protocol mailing list