[cifs-protocol] Object(OR-Name) syntax implementation

Kamen Mazdrashki kamen.mazdrashki at postpath.com
Thu Nov 19 13:59:38 MST 2009


While I was trying to implement "Object(OR-Name)" syntax handling in Samba, I've got some unexpected results.
There are several places to describe this syntax:
http://msdn.microsoft.com/en-us/library/cc223181%28PROT.13%29.aspx - from ADTS
http://msdn.microsoft.com/en-us/library/cc228440%28PROT.13%29.aspx - from DRSR

Documentation says (ADTS and DRSR) that values with "Object(OR-Name)" syntax are in 'object_DN' format which is in "Object(DS-DN)" format.
At first I got the impression, that "Object(OR-Name)" and "Object(DS-DN)" are the same.
But then, LDAP queries against AD always returns plain-dn DNs - even when 'extended dn' control is passed.
So I come to a conclusion, 'object_DN' means "DN part from Object(DS-DN) syntax".

After some tests with DRSUAPI interface though, it turns that values with 'OR-Name' syntax are transmitted in
"<GUID=..>;<SID=...>;dn" format which is "Object(DS-DN)" format!

At this point, I decided, that "Object(OR-Name)" is represented in two ways:
1. plain_dn - when working through LDAP
2. Object(DS-DN) - when transmitted using DRS interface

But then, after few hours of debugging/testing I was surprised to find out that through DRS interface, values with "Object(OR-Name)" syntax are transmitted as "Object(DN-Binary)"!

Here is some test data:
I am playing with "authOring" attribute (from MS Exchange 2003 provisioning)
Through DRS I am getting blob with value: 

When I assume this value is in Object(DS-DN) format, it is correctly converted to following extended-DN:

However, the above mentioned extended-DN does not match exactly the blob value when it is converted back to blob using "Object(DS-DN)" syntax handling. 

On the other hand, when using "Object(DN-Binary)" syntax implementation, forward/backward conversions match perfectly. I.e. the abovementioned blob value should be decoded to DN-Binary value:

I think there is a bug in documentation?
Please, clarify?

Kamen Mazdrashki
kamen.mazdrashki at postpath.com

More information about the cifs-protocol mailing list