[cifs-protocol] RE: New case: SRX080910600015: [MS-ADA3]: 2.44 Elaborate on objectSid definition

Bill Wesse billwe at microsoft.com
Wed Sep 24 15:46:51 GMT 2008 

Good morning Andrew.

Per your inquiry concerning elaboration on the objectSid definition, I am sending you copy of an update to the documentation as shown below (the second paragraph is new content).

Please let me know if this answers your question satisfactorily; if so, I will consider your question resolved. Thanks for helping us improve our documentation.

==============================================================================
[MS-ADA3]: Active Directory Schema Attributes N-Z
2.44 Attribute objectSid

This attribute specifies a binary value that specifies the security identifier
(SID) of the user. The SID is a unique value used to identify the user as a
security principal. For more information on the SID data type, refer to
[MS-DTYP] section 2.4.2. SID usage is also discussed in [MS-ADTS], in
particular in section 3.1.1.1.3.

Because this is an attribute of String(SID) syntax, an application writing to
this attribute via the LDAP protocol can specify a value for this attribute as
a valid SDDL SID string, as specified in [MS-ADTS] section 3.1.1.3.1.2.5.
The directory service will convert that value to its binary value equivalent.

   cn: Object-Sid
   ldapDisplayName: objectSid
   attributeId: 1.2.840.113556.1.4.146
   attributeSyntax: 2.5.5.17
   omSyntax: 4
   isSingleValued: TRUE
   schemaIdGuid: bf9679e8-0de6-11d0-a285-00aa003049e2
   systemOnly: TRUE
   searchFlags: fPRESERVEONDELETE | fATTINDEX
   rangeLower: 0
   rangeUpper: 28
   attributeSecurityGuid: 59ba2f42-79a2-11d0-9020-00c04fc2d3cf
   mapiID: 32807
   isMemberOfPartialAttributeSet: TRUE
   systemFlags: FLAG_SCHEMA_BASE_OBJECT | FLAG_ATTR_REQ_PARTIAL_SET_MEMBER
   schemaFlagsEx: FLAG_ATTR_IS_CRITICAL

Version-Specific Behavior: Implemented on Windows 2000 Server, Windows Server
2003, Windows Server 2003 R2, and Windows Server 2008.

In Windows 2000 Server, the following attributes are defined differently:

   systemOnly: FALSE

The schemaFlagsEx attribute was added to this attribute definition in Windows
Server 2008.
==============================================================================

Regards,
Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, September 10, 2008 8:30 AM
To: Bill Wesse
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: New case: SRX080910600015: [MS-ADA3]: 2.44 Elaborate on objectSid definition

On Wed, 2008-09-10 at 03:34 -0700, Bill Wesse wrote:
> Good morning Andrew. I have created the new case as noted in the
> Subject line. I expect you will be happy to know that we are
> initiating a strong recommendation that the objectSid definition in
> [MS-ADA3] be modified as shown below. Thank you for your persistence
> on this topic.

No worries.

> I will keep you advised of progress!
>
>
> Change:
>
> 2.44 Attribute objectSid
> This attribute specifies a binary value that specifies the security
> identifier (SID) of the user. The SID is a unique value used to
> identify the user as a security principal. For more information on the
> SID data type, refer to [MS-DTYP] section 2.4.2. SID usage is also
> discussed in [MS-ADTS], in particular in section 3.1.1.1.3.
>
> To:
>
> 2.44 Attribute objectSid
> This attribute specifies a variable-length byte array value that
> specifies the security identifier (SID) of the user. For more
> information on the SID data type, refer to [MS-DTYP] section 2.4.2. It
> also may be represented as a UTF-8 string that is a valid SDDL SID
> string beginning with "S-" (see [MS-DTYP] sections 2.4.2 and 2.5.1,
> and [MS-ADTS] 3.1.1.3.1.2.5). The SID is a unique value used to
> identify the user as a security principal. SID usage is also discussed
> in [MS-ADTS], in particular in section 3.1.1.1.3.

That looks good.  Let me know how you go - I had understood from the call that we were at a stalemate, so I'm particularly glad to see this
(potentially) moving forward.

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list