[cifs-protocol] Status: SRX091216600027 [MS-ADTS] 3.1.1.2.3 msDS-IntId not always present

Bill Wesse billwe at microsoft.com
Fri Feb 5 08:57:37 MST 2010 

Good morning! Thanks for your patience.

Our documentation developers have responded to the questions you raised. I have provided your original questions and the responses below. Please let me know if the below answers your questions satisfactorily; if so, I will consider your question resolved.

=============================================================================
Question:

According to [MS-ADTS] section 3.1.1.2.3 Attributes <http://msdn.microsoft.com/en-us/library/cc223202(PROT.13).aspx>,
msDS-IntId is:

“Present on attributeSchema <http://msdn.microsoft.com/en-us/library/cc221662(PROT.13).aspx> objects added when forest functional level is DS_BEHAVIOR_WIN2003 or greater with FLAG_SCHEMA_BASE_OBJECT not present in systemFlags <http://msdn.microsoft.com/en-us/library/cc220919(PROT.13).aspx>”.

However, when running the test against w2k8 there are lot of attributes that does not obey this rule.
Please see attached file “w2k8_msDS-IntId.txt”.

At first I thought that those attributes have attributeIDs that can be encoded/decoded using ‘default prefixMap’.
After examining the list though, it turns out this is not the case for majority of those attributes.
Please see attached file “not_in_default_prefixMap.txt” for a list of those attributes.

Perhaps I am misunderstanding the documentation?

I need a ‘steady’ rule when to create ‘msDS-IntId’ value for an attribute in the schema.
Is there any other rule to be applied?

Response:

As stated in '[MS-ADTS] section 3.1.1.2.3 Attributes', the msDS-IntId attribute is only present on attributeSchema objects ADDED, if the forest functional level is DS_BEHAVIOR_WIN2003 or higher.

There are several attributes in the default AD schema that are created at setup time before the AD environment is in an operating state and are not subject to this rule.

However, attributeSchema objects added after the forest functional level is DS_BEHAVIOR_WIN2003 or higher will have this attribute present when conditions are met (FLAG_SCHEMA_BASE_OBJECT not present in systemFlags). Also note that not all classes and attributes included in the base schema are marked with FLAG_SCHEMA_BASE_OBJECT.

=============================================================================
Question:

Btw, one interesting observation during my tests – adding ‘msDS-IntId’ on classSchema object passes nicely during object creation. After that, trying to modify this attribute value leads to “CONSTRAINT_VIOLATION”. And I am wondering – what is the meaning of ‘msDS-IntId’ when used in a classSchema object

Response:

Essentially, 'msDS-IntId’, when used on a classSchema object, means that a client cannot modify the objectCategory of an instance of a base schema class (the DSA can do this on its own behalf only).

=============================================================================
Reference:

[MS-ADTS] section 3.1.1.2.3 Attributes
http://msdn.microsoft.com/en-us/library/cc223202(PROT.13).aspx

msDS-IntId
Not specified on Add (if specified in the Add request, the DC returns LDAP error unwillingToPerform); the value (a 32-bit unsigned integer in the subrange [0x80000000..0xBFFFFFFF]) is generated by the DC. Present on attributeSchema objects added when forest functional level is DS_BEHAVIOR_WIN2003 or greater with FLAG_SCHEMA_BASE_OBJECT not present in systemFlags (below). The value of msDS-IntId is the ATTRTYP of this attributeSchema object. Unique among all values of this attribute on objects in the schema NC, regardless of forest functional level. System-only.


Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
Email:   billwe at microsoft.com<mailto:billwe at microsoft.com>
Tel:       +1(980) 776-8200
Cell:      +1(704) 661-5438
Fax:      +1(704) 665-9606

From: Kamen Mazdrashki [mailto:kamen.mazdrashki at postpath.com]
Sent: Thursday, January 14, 2010 9:49 AM
To: Bill Wesse
Cc: pfif at tridgell.net; abartlet at samba.org; cifs-protocol at samba.org
Subject: RE: Status: SRX091216600027 [MS-ADTS] 3.1.1.2.3 msDS-IntId not always present

Thanks for the update.

CU,
Kamen Mazdrashki
kamen.mazdrashki at postpath.com
http://repo.or.cz/w/Samba/kamenim.git
-------------------------------------
CISCO SYSTEMS BULGARIA EOOD
http://www.cisco.com/global/BG/

From: Bill Wesse [mailto:billwe at microsoft.com]
Sent: Thursday, January 14, 2010 4:24 PM
To: Kamen Mazdrashki
Cc: pfif at tridgell.net; abartlet at samba.org; cifs-protocol at samba.org
Subject: Status: SRX091216600027 [MS-ADTS] 3.1.1.2.3 msDS-IntId not always present

Good morning once again Kamen! Here is what’s up with the TDI…

Your comment:
Btw, one interesting observation during my tests – adding ‘msDS-IntId’ on classSchema object passes nicely during object creation. After that, trying to modify this attribute value leads to “CONSTRAINT_VIOLATION”. And I am wondering – what is the meaning of ‘msDS-IntId’ when used in a classSchema object

Response:
Essentially, this means that a client cannot modify the objectCategory of an instance of a base schema class (the DSA can do this on its own behalf only).

On another note:
[MS-ADTS] 3.1.1.2.3 Attributes (http://msdn.microsoft.com/en-us/library/cc223202(PROT.13).aspx) says the DC returns LDAP error unwillingToPerform on any attempt to specify msDS-IntId on an Add operation.

I have alerted those concerned with the TDI to this; the response to your main question (…a ‘steady’ rule when to create ‘msDS-IntId’ value for an attribute in the schema) is still pending.

Thanks for your patience.

Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
Email:   billwe at microsoft.com<mailto:billwe at microsoft.com>
Tel:       +1(980) 776-8200
Cell:      +1(704) 661-5438
Fax:      +1(704) 665-9606

From: Bill Wesse
Sent: Thursday, December 31, 2009 8:41 AM
To: 'Kamen Mazdrashki'
Cc: 'pfif at tridgell.net'; 'abartlet at samba.org'; 'cifs-protocol at samba.org'
Subject: RE: Status: SRX091216600027 [MS-ADTS] 3.1.1.2.3 msDS-IntId not always present

Good morning Kamen – I neglected to advise you I filed a Technical Documentation Issue (TDI) concerning the msDS-IntId attribute. This is still under investigation by our document developers, and I will advise you as soon as some results are forthcoming.

Thanks for your patience!

Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606

From: Bill Wesse
Sent: Wednesday, December 16, 2009 9:52 AM
To: 'Kamen Mazdrashki'
Cc: pfif at tridgell.net; abartlet at samba.org; cifs-protocol at samba.org
Subject: RE: Status: SRX091216600027 [MS-ADTS] 3.1.1.2.3 msDS-IntId not always present (SRX091020600112 [MS-DRSR] section 5.12.2 - prefixMap implementation)

Thanks for the update Kamen – I have created the following case to track our work. Unless you think otherwise, I will archive the old case (SRX091020600112 [MS-DRSR] section 5.12.2 - prefixMap implementation)).

SRX091216600027 [MS-ADTS] 3.1.1.2.3 msDS-IntId not always present

I expect to be able to begin work later today – or by tomorrow morning at the latest.

Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606

From: Kamen Mazdrashki [mailto:kamen.mazdrashki at postpath.com]
Sent: Tuesday, December 15, 2009 9:08 PM
To: Bill Wesse
Cc: pfif at tridgell.net; abartlet at samba.org; cifs-protocol at samba.org
Subject: RE: Status: SRX091020600112 [MS-DRSR] section 5.12.2 - prefixMap implementation

Hi Bill,

Finally I have a “msDS-IntId” attribute.
You can find the test in “source4/lib/ldb/tests/python/ldap_schema.py” python script.
You can execute the script from ‘source4’ directory as follows:
lib/ldb/tests/python/ldap_schema.py -UAdministrator%password w2k8
This test is only in my branch thus you can download it from (sorry for the inconvenience):
http://repo.or.cz/w/Samba/kamenim.git/snapshot/1de38d8251c6df7fb23d68033f57c1f8f53bcded.tar.gz

According to MS-ADTS http://msdn.microsoft.com/en-us/library/cc223202%28PROT.13%29.aspx,
msDS-IntId is “Present on attributeSchema<http://msdn.microsoft.com/en-us/library/cc221662%28PROT.13%29.aspx> objects added when forest functional level is DS_BEHAVIOR_WIN2003 or greater with FLAG_SCHEMA_BASE_OBJECT not present in systemFlags<http://msdn.microsoft.com/en-us/library/cc220919%28PROT.13%29.aspx>”.
However, when running the test against w2k8 there are lot of attributes that does not obey this rule.
Please see attached file “w2k8_msDS-IntId.txt”.

At first I thought that those attributes has attributeIDs that can be encoded/decoded using ‘default prefixMap’.
After examining the list though, it turns out this is not the case for majority of those attributes.
Please see attached file “not_in_default_prefixMap.txt” for a list of those attributes.

Perhaps I am misunderstanding the documentation?
I need a ‘steady’ rule when to create ‘msDS-IntId’ value for an attribute in the schema.
Is there any other rule to be applied?
I need to note here that those attributes comes from w2k8 default provisioning.
Any newly added attributes strictly obey the abovementioned rule (I found no way
to add an attribute with FLAG_SCHEMA_BASE_OBJECT flag set though).


CU,
Kamen Mazdrashki
kamen.mazdrashki at postpath.com
http://repo.or.cz/w/Samba/kamenim.git
-------------------------------------
CISCO SYSTEMS BULGARIA EOOD
http://www.cisco.com/global/BG/

From: Bill Wesse [mailto:billwe at microsoft.com]
Sent: Tuesday, December 01, 2009 3:58 PM
To: Kamen Mazdrashki
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: Status: SRX091020600112 [MS-DRSR] section 5.12.2 - prefixMap implementation

Thank you – I am quite unhappy with myself for not seeing this also.

I will certainly keep the issue open!

Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606

From: Kamen Mazdrashki [mailto:kamen.mazdrashki at postpath.com]
Sent: Monday, November 30, 2009 4:13 PM
To: Bill Wesse
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: Status: SRX091020600112 [MS-DRSR] section 5.12.2 - prefixMap implementation

Hi Bill,

Good news – Metze resolved the issue with “not recognized ATTIDs”.
It was in front of me all the time I can’t believe I’ve missed that (as it turns out, reading matters☺):
http://msdn.microsoft.com/en-us/library/cc223224%28PROT.13%29.aspx

Could you please leave the issue open for as long as I make a test to verify, that rules for msDS-IntId
described on the following page holds true?
http://msdn.microsoft.com/en-us/library/cc223202%28PROT.13%29.aspx
I just need to be sure, that if FLAG_SCHEMA_BASE_OBJECT is not set, then Windows uses msDS-IntId.


BR,
Kamen Mazdrashki
kamen.mazdrashki at postpath.com
http://repo.or.cz/w/Samba/kamenim.git
-------------------------------------
CISCO SYSTEMS BULGARIA EOOD
http://www.cisco.com/global/BG/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20100205/9e9d7674/attachment-0001.html>

More information about the cifs-protocol mailing list