[cifs-protocol] Need some help with LDAP_SERVER_SD_FLAGS_OID control (SRX091119600169)

Nadezhda Ivanova nadezhda.ivanova at postpath.com
Thu Nov 19 14:30:22 MST 2009


Hi Bill,
It's definitely not just used for searches. Some management tools such as Active Directory Users and Computers send this control along with a modify request - we have a bug about this in bugzilla: https://bugzilla.samba.org/show_bug.cgi?id=6401
I have proven with tests that in modify requests the control is taken into account, and only the specified parts of the descriptor are modified. I have already implemented it for the modify request. However, I cannot implement it for the add request until I know if there is actually anything to be done for add, and if there is, how it should work. My tests have shown no effect for add requests, but since it is mentioned in the MS-ADTS, I thought maybe I am missing something. So, this only blocks my progress if there is something to be done for the add request, otherwise, it does not. It is not very urgent, though, it can wait a bit if you have other priorities.

Regards,
Nadya
----- Original Message -----
> From: Bill Wesse <billwe at microsoft.com>
> To: Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
> Cc: cifs-protocol at samba.org <cifs-protocol at samba.org>
> Sent: Thursday, November 19, 2009 10:23:06 PM GMT+0200 Europe;Athens
> Subject: RE: Need some help with LDAP_SERVER_SD_FLAGS_OID control (SRX091119600169)

> > Nadya - I don't think the LDAP_SERVER_SD_FLAGS_OID control should have 
> any effect during an add operation, since the flags for the control 
> indicate which security descriptor parts to retrieve during a search, 
> which should explain why LDAP_UNAVAILABLE_CRIT_EXTENSION is not being 
> returned (assuming the add succeeded).
> 
> I have filed a TDI to obtain authoritative information concerning this,
>  and will update you with results as they develop.
> 
> Could you advise me concerning how much this impacts progress on your 
> implementation?
> 
> References:
> 
> [MS-ADTS] 3.1.1.3.4.1.11 LDAP_SERVER_SD_FLAGS_OID
> http://msdn.microsoft.com/en-us/library/cc223323(PROT.13).aspx
>    
> The LDAP_SERVER_SD_FLAGS_OID control is used with an LDAP Search 
> request to control the portion of a Windows Security Descriptor to 
> retrieve.
>    
> LDAP_SERVER_SD_FLAGS_OID Control Code
> http://msdn.microsoft.com/en-us/library/aa366987(VS.85).aspx
> 
> The security information flags indicate which security descriptor 
> parts to retrieve during a search.
> 
> Regards,
> Bill Wesse
> MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
> 8055 Microsoft Way
> Charlotte, NC 28273
> TEL:  +1(980) 776-8200
> CELL: +1(704) 661-5438
> FAX:  +1(704) 665-9606
> 
> 
> -----Original Message-----
> From: Bill Wesse 
> Sent: Thursday, November 19, 2009 2:07 PM
> To: 'Nadezhda Ivanova'
> Cc: cifs-protocol at samba.org
> Subject: RE: Need some help with LDAP_SERVER_SD_FLAGS_OID control 
> (SRX091119600169)
> 
> Hi Nadya - I will be your contact for this one. Here is the case 
> number:
> 
> SRX091119600169: [MS-ADTS] 7.1.3.2 LDAP_SERVER_SD_FLAGS_OID
> 
> I will begin my investigation today!
> 
> Regards,
> Bill Wesse
> MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
> 8055 Microsoft Way
> Charlotte, NC 28273
> TEL:  +1(980) 776-8200
> CELL: +1(704) 661-5438
> FAX:  +1(704) 665-9606
> 
> 
> -----Original Message-----
> From: Nadezhda Ivanova [mailto:nadezhda.ivanova at postpath.com] 
> Sent: Thursday, November 19, 2009 12:34 PM
> To: Interoperability Documentation Help
> Cc: cifs-protocol at samba.org
> Subject: Need some help with LDAP_SERVER_SD_FLAGS_OID control
> 
> Hello,
> I have been working on the implementation of LDAP_SERVER_SD_FLAGS_OID 
> in Samba, and I have a question. Is this control relevant for an LDAP 
> add request? I have been testing against Win2008. Adding this control 
> to the request does not seem to have any effect. When I set it to 
> Critical, I do not get  LDAP_UNAVAILABLE_CRIT_EXTENSION, as described 
> in http://msdn.microsoft.com/en-us/library/aa367025%28VS.85%29.aspx
> At the same tine, in MS-ADTS, section 7.1.3.2 SD Flags Control, it 
> says:
> "When performing an LDAP operation (add, modify or search), the client 
> may supply an SD flags
> control LDAP_SERVER_SD_FLAGS_OID with the operation."
> 
> So, if the control is valid for an LDAP add, what should be the 
> behavior?
> 
> Best Regards,
> Nadezhda Ivanova


More information about the cifs-protocol mailing list