[cifs-protocol] FW: FW: Inconsistencies in ad-schema docs and text files SRX090109601490
Hongwei Sun
hongweis at microsoft.com
Mon Jan 11 08:23:34 MST 2010
Andrew,
Most of the issues mentioned in your mail have been fixed in the latest released MS-ADSC or MS-ADA3. The following is a summary.
1. cn: Computer - Schema pulled from Windows 2008R2 shows two additional attributes for systemMayContain msTSSecondaryDesktopBL, msTSPrimaryDesktopBL.
2.21 of MS-ADSC has been updated to include msTSSecondaryDesktopBL and msTSPrimaryDesktopBL in systemMayContain.
2. cn: Domain-DNS - defaultSecurityDescriptor in does not match the schema pulled from Windows 2008R2
2.42 of MS-ADSC (Class domainDNS) has been updated to include the correct defaultSecurityDescriptor as follows.
defaultSecurityDescriptor: D:
(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)(A;;RP;;;WD)
(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)
(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)
(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939; bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)
(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)
(A;;RPRC;;;RU)
(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(A;;LCRPLORC;;;ED)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)
(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)
(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;
bf967aba-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;
bf967a9c-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;
bf967a86-0de6-11d0-a285-00aa003049e2;ED)
(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)
(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)
(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)
(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)
(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)
(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)
(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)
(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;CIIO;CRRPWP;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)
S:(AU;SA;WDWOWP;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)
(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
3. cn: inetOrgPerson - defaultSecurityDescriptor does not match the schema pulled from Windows 2008R2
This was not reproducible and Richard indicated in the case that he probably made a mistake doing analysis , so there is no action needed for this item.
4. cn: Object-Class - searchFlags do not match the schema pulled from Windows 2008R2
2.39 of MS-ADA3 has been updated to include the correct SearchFlags.
searchFlags: fATTINDEX | fPRESERVEONDELETE
5. cn: Sam-Domain - defaultSecurityDescriptor does not match the schema pulled from Windows 2008R2
2.208 of MS-ADSC (Class samDomain) has been updated with the correct defaultSecurityDescriptor as follows.
defaultSecurityDescriptor: D:
(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)(A;;RP;;;WD)
(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)
(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)
(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)
(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)
(A;;RPRC;;;RU)(OA;CIIO;RPLCLORC;;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)(A;;LCRPLORC;;;ED)
(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)
(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)
(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;
bf967aba-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;
bf967a9c-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;
bf967a86-0de6-11d0-a285-00aa003049e2;ED)
(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)
(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)
(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)
(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)
(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)
(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)
(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)
(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;CIIO;CRRPWP;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)
S:(AU;SA;WDWOWP;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)
(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;
bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;
bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
6. cn: Schema - This attribute may be missing from the schema documentation. It shows up in the Windows 2008R2 schema so it is being investigated.
The Schema object is not a schema attribute definition, but rather a container which is the root of the schema naming context. Please refer to the Schema NC description in section 7.1.1.1.3 of MS-ADTS. This issue is closed with no action needed.
7. cn: Top - There appears to be a discrepancy with the generated Windows 2008R2 schema and the documented schema for systemMayContain attribute.
2.230 of MS-ADSC has been updated for systemMayContain attribute. The changes include (1) We deleted msTSPrimaryDesktopBL and msTSSecondaryDesktopsBL. (2) We corrected the name for isRecycled. The systemMayContain is documented as follows:
systemMayContain: msDS-EnabledFeatureBL, msDS-LastKnownRDN,
msDS-HostServiceAccountBL,
msDS-OIDToGroupLinkBl, msDS-LocalEffectiveRecycleTime,
msDS-LocalEffectiveDeletionTime, isRecycled, msDS-NcType,
msDS-PSOApplied, msDS-PrincipalName,
msDS-RevealedListBL, msDS-AuthenticatedToAccountlist,
msDS-IsPartialReplicaFor, msDS-IsDomainFor, msDS-IsFullReplicaFor,
msDS-RevealedDSAs, msDS-KrbTgtLinkBl, url, wWWHomePage, whenCreated,
whenChanged, wellKnownObjects, wbemPath, uSNSource, uSNLastObjRem,
USNIntersite, uSNDSALastObjRemoved, uSNCreated, uSNChanged,
systemFlags, subSchemaSubEntry, subRefs, structuralObjectClass,
siteObjectBL, serverReferenceBL, sDRightsEffective, revision,
repsTo, repsFrom, directReports, replUpToDateVector,
replPropertyMetaData, name, queryPolicyBL, proxyAddresses,
proxiedObjectName, possibleInferiors, partialAttributeSet,
partialAttributeDeletionList, otherWellKnownObjects, objectVersion,
objectGUID, distinguishedName, nonSecurityMemberBL, netbootSCPBL,
ownerBL, msDS-ReplValueMetaData, msDS-ReplAttributeMetaData,
msDS-NonMembersBL, msDS-NCReplOutboundNeighbors,
msDS-NCReplInboundNeighbors, msDS-NCReplCursors,
msDS-TasksForAzRoleBL, msDS-TasksForAzTaskBL,
msDS-OperationsForAzRoleBL, msDS-OperationsForAzTaskBL,
msDS-MembersForAzRoleBL, msDs-masteredBy, mS-DS-ConsistencyGuid,
mS-DS-ConsistencyChildCount, msDS-Approx-Immed-Subordinates,
msCOM-PartitionSetLink, msCOM-UserLink, modifyTimeStamp, masteredBy,
managedObjects, lastKnownParent, isPrivilegeHolder, memberOf,
isDeleted, isCriticalSystemObject, showInAdvancedViewOnly,
fSMORoleOwner, fRSMemberReferenceBL, frsComputerReferenceBL,
fromEntry, flags, extensionName, dSASignature,
dSCorePropagationData, displayNamePrintable, displayName,
description, createTimeStamp, cn, canonicalName,
bridgeheadServerListBL, allowedChildClassesEffective,
allowedChildClasses, allowedAttributesEffective, allowedAttributes,
adminDisplayName, adminDescription, msDS-NC-RO-Replica-Locations-BL
The schema of Windows 2008 R2 we sent you in 04/24/2009 doesn't incorporate the above changes. I will work on it. We do have tools/scripts to create and validate the schema.
Thanks!
Hongwei
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Thursday, January 07, 2010 10:11 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org; Andrew Tridgell
Subject: Re: [cifs-protocol] FW: FW: Inconsistencies in ad-schema docs and text files SRX090109601490
On Fri, 2009-04-24 at 09:07 -0700, Richard Guthrie wrote:
> Andrew:
>
> Attached are schema files for Windows 2008 and Windows 2008R2/Windows 7. The Windows 2008 schema should not have any issues based upon initial validation against the Windows 2008 schema. The release notes for the Windows 2008R2/Windows 7 schema are as follows (All issues are under investigation at this time):
>
> 1. cn: Computer - Schema pulled from Windows 2008R2 shows two additional attributes for systemMayContain msTSSecondaryDesktopBL, msTSPrimaryDesktopBL. These are not present in the latest documentation for this attribute.
> 2. cn: Domain-DNS - defaultSecurityDescriptor in does not match the schema pulled from Windows 2008R2 3. cn: inetOrgPerson - defaultSecurityDescriptor does not match the schema pulled from Windows 2008R2 4. cn: Object-Class - searchFlags do not match the schema pulled from Windows 2008R2 5. cn: Sam-Domain - defaultSecurityDescriptor does not match the schema pulled from Windows 2008R2 6. cn: Schema - This attribute may be missing from the schema documentation. It shows up in the Windows 2008R2 schema so it is being investigated.
> 7. cn: Top - There appears to be a discrepancy with the generated Windows 2008R2 schema and the documented schema for systemMayContain attribute.
Dear Dochelp,
Did anyone ever solve these, and can I get a correct file for the final release of Windows 2008 R2? Do you have a script to validate these?
We are finding far more errors than just the above (diff to follow shortly), as it seems these files are still generated by hand (why?!?)
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
More information about the cifs-protocol
mailing list