[cifs-protocol] MS-LSAD 3.1.4.7.10-12 CreateTrustedDomain* question
Hongwei Sun
hongweis at microsoft.com
Wed Nov 17 12:17:58 MST 2010
Matthias,
As per the processing logic in 3.1.4.7.10 in MS-LSAD, the caller to LsarCreateTrustedDomainEx2 or similar functions has to be a member of the Domain Admins group to access the policy handle. The requirement for the caller's control access right is also defined in the same section. The constraint you mentioned in MS-ADTS is for LDAP Add operation. The ERROR_DS_CANT_ADD_SYSTEM_ONLY means that it is not permitted to add the attribute which is owned by the system.
Please let me know if I understand your questions correctly and if you have more questions.
Thanks!
Hongwei
-----Original Message-----
From: Matthias Dieter Wallnöfer [mailto:mdw at samba.org]
Sent: Saturday, November 13, 2010 8:47 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: MS-LSAD 3.1.4.7.10-12 CreateTrustedDomain* question
Hi dochelp people,
the calls "CreateTrustedDomain*" allow to create trusted domain objects.
Now the question is: what AD security user is used to create them? It is
"SYSTEM"?
Since otherwise we run into the following constraint (taken from MS-ADTS
3.1.1.5.2.2):
> The structural objectClass is not a Local Security Authority
> (LSA)-specific object class (section
> 3.1.1.5.2.3). If it is, Add returns unwillingToPerform /
> ERROR_DS_CANT_ADD_SYSTEM_ONLY.
Thanks,
Matthias Wallnöfer
More information about the cifs-protocol
mailing list