[cifs-protocol] [REG:110091558099846] RE: Incompleteness in MS-SAMR section 3.1.1.8.1 objectClass

Hongwei Sun hongweis at microsoft.com
Tue Oct 5 09:40:19 MDT 2010 

Matthias,

  Following up on this documentation update, I attached the changes made to the MS-ADTS and MS-DRSR.

BEFORE ---
3.1.1.3.2.41   tokenGroups
Returns the SIDs contained in the security context as which the client has authenticated the LDAP connection. See section 5.1.3.

AFTER ---
3.1.1.3.2.41   tokenGroups
Returns the SIDs contained in the security context as which the client has authenticated the LDAP connection. Refer to section 5.1.3 for details on LDAP Authorization. Refer to section 3.1.1.4.5.19 for details on the algorithm used to compute this attribute.

BEFORE ---
3.1.1.4.9.6   DomainOf
procedure DomainOf(o: DSName): DSName
This procedure returns the DSName of the domain NC to which the given DSName o belongs. It returns null upon failure.

3.1.1.4.9.7   GetDSNameFromPrimaryGroupId
procedure GetDSNameFromPrimaryGroupId(rid: Rid): DSName
This procedure constructs a SID s consisting of the domain SID of the DC's default domain and the given relative identifier (RID) rid, and returns the DSName of the object o for which o!objectSid = s. If no such object o exists, then this procedure will return null.

AFTER ---
3.1.1.4.9.6   DomainOf
procedure DomainOf(o: DSName): DSName
This procedure returns the DSName of the domain NC to which the given DSName o belongs. It returns null upon failure.

<content added> 
3.1.1.4.9.7   GetDSNameOfEnterpriseRODCsGroup
procedure GetDSNameOfEnterpriseReadonlyDomainControllerGroup(): DSName
This procedure constructs a SID s consisting of the domain SID of the root domain and the relative identifier (RID) of the Enterprise Read-only Domain Controllers Group (as defined in section 7.1.1.6.14), and returns the DSName of the object o for which o! objectSid = s. If no such object o exists, this procedure returns null.

3.1.1.4.9.8   GetDSNameFromPrimaryGroupId
procedure GetDSNameFromPrimaryGroupId(rid: Rid): DSName
This procedure constructs a SID s consisting of the domain SID of the DC's default domain and the given relative identifier (RID) rid, and returns the DSName of the object o for which o!objectSid = s. If no such object o exists, then this procedure will return null.


BEFORE ---
3.1.1.4.9.10   GetMemberships Method
. . . 
In the following pseudocode, the SID type is specified in [MS-DRDM] section 5.126, the IsGC procedure is specified in [MS-DRDM] section 5.67, and the DefaultNC procedure is specified in [MS-DRDM] section 5.20.
. . . 
/* Get the initial result set from the graph. */
wSet := {}
for i := 0 to msgIn.ppDsNames.cDsNames - 1
  u := msgIn.ppDsNames[i]
  if u in vSet then
    /* Get the subgraph by applying the predicate IsMatchedGroup
     * on each element in the vertex set, plus u itself. */
    uSet := {u} + select all v from vSet where 
         IsMatchedGroup(v, op, msgIn.pLimitingDomain^)
    if transitive then
      wSet := wSet + (Closure(uSet, aSet, u) - {u})
    else
      wSet := wSet + (Neighbors(uSet, aSet, u) - {u})
    endif
  endif
endfor
. . . 

AFTER ---
3.1.1.4.9.11   GetMemberships Method
. . .
In the following pseudocode, the ADS_UF_WORKSTATION_TRUST_ACCOUNT and ADS_UF_PARTIAL_SECRETS_ACCOUNT flags are specified in section 2.2.15, the userAccountControl attribute is specified in [MS-ADA3] section 2.341, the SID type is specified in [MS-DRDM] section 5.126, the IsGC procedure is specified in [MS-DRDM] section 5.67, and the DefaultNC procedure is specified in [MS-DRDM] section 5.20.
. . . 
/* Get the initial result set from the graph. */
wSet := {}
for i := 0 to msgIn.ppDsNames.cDsNames - 1
  u := msgIn.ppDsNames[i]
  if u in vSet then
    /* Get the subgraph by applying the predicate IsMatchedGroup
     * on each element in the vertex set, plus u itself. */
    uSet := {u} + select all v from vSet where 
         IsMatchedGroup(v, op, msgIn.pLimitingDomain^)
    if transitive then
      wSet := wSet + (Closure(uSet, aSet, u) - {u})
    else
      wSet := wSet + (Neighbors(uSet, aSet, u) - {u})
    endif
    if((u!userAccountControl & ADS_UF_WORKSTATION_TRUST_ACCOUNT =
           ADS_UF_WORKSTATION_TRUST_ACCOUNT) or
        (u!userAccountControl & ADS_UF_PARTIAL_SECRETS_ACCOUNT =
           ADS_UF_PARTIAL_SECRETS_ACCOUNT))

        wSet := wSet + GetDSNameOfEnterpriseRODCsGroup()
    endif
  endif
endfor
. . .

Thanks!

Hongwei


-----Original Message-----
From: Matthias Dieter Wallnöfer [mailto:mdw at samba.org] 
Sent: Wednesday, September 22, 2010 7:42 AM
To: Hongwei Sun
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: [REG:110091558099846] RE: Incompleteness in MS-SAMR section 3.1.1.8.1 objectClass

Okay!

Greets,
Matthias Wallnöfer

Hongwei Sun wrote:
> Matthias,
>
>    Thanks for raising this issue with us.  First, We will add the missing definitions for UF_PARTIAL_SECRETS_ACCOUNT (0x4000000) to 2.2.1.13 MS-SAMR, USER_PARTIAL_SECRETS_ACCOUNT (0x00100000) to 2.2.1.12 MS-SAMR and DOMAIN_GROUP_RID_READONLY_DCS(0x00000209) to 2.2.1.14 MS-SAMR.   In 3.1.1.8.1 MS-SAMR, we will add the following entry to the table in item 4 showing that if userAccountContol has bits UF_WORKSTATION_TRUST_ACCOUNT&  UF_PARTIAL_SECRETS_ACCOUNT , the primaryGroupId attribute MUST be updated with DOMAIN_GROUP_RID_READONLY_CONTROLLERS.
>
>    We are in the process to update the document. The changes will appear in the future release of the document.  Please let us know if you have any further question.  If not, I will consider this issue resolved.
>
> Thanks!
>
> Hongwei
>

More information about the cifs-protocol mailing list