[cifs-protocol] [REG:110091558099846] RE: Incompleteness in MS-SAMR section 3.1.1.8.1 objectClass

Hongwei Sun hongweis at microsoft.com
Mon Oct 11 14:34:45 MDT 2010 

Matthias,

   This seems a new issue even it is in the same section of the document.   We will create a new case to keep track it.   If there is a new issue in our communication in the future , please also copy docHelp, which is monitored by our team,  so it will not be missed in case I am out of office or so.  

   As of this issue, could you give a little more description about the blackbox test which reproduces the behavior ?

Thanks!

Hongwei  

-----Original Message-----
From: Matthias Dieter Wallnöfer [mailto:mdw at samba.org] 
Sent: Monday, October 11, 2010 11:29 AM
To: Hongwei Sun
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: [REG:110091558099846] RE: Incompleteness in MS-SAMR section 3.1.1.8.1 objectClass

Hongwei,

I think I've found another issue: always MS-SAMR 3.1.1.8.1 "objectClass" 
trigger - this time item 1.5.

Windows doesn't seem to add always UF_PASSWD_NOT_REQD when objects using 
UF_WORKSTATION_TRUST_ACCOUNT are created. We've a blackbox test which 
reproduces this. Probably there is some explaination missing; that means 
under which cases PASSWD_NOT_REQD is added.

Greets,
Matthias


Hongwei Sun wrote:
> Matthias,
>
>    Following up on this documentation update, I attached the changes made to the MS-ADTS and MS-DRSR.
>
> BEFORE ---
> 3.1.1.3.2.41   tokenGroups
> Returns the SIDs contained in the security context as which the client has authenticated the LDAP connection. See section 5.1.3.
>
> AFTER ---
> 3.1.1.3.2.41   tokenGroups
> Returns the SIDs contained in the security context as which the client has authenticated the LDAP connection. Refer to section 5.1.3 for details on LDAP Authorization. Refer to section 3.1.1.4.5.19 for details on the algorithm used to compute this attribute.
>
> BEFORE ---
> 3.1.1.4.9.6   DomainOf
> procedure DomainOf(o: DSName): DSName
> This procedure returns the DSName of the domain NC to which the given DSName o belongs. It returns null upon failure.
>
> 3.1.1.4.9.7   GetDSNameFromPrimaryGroupId
> procedure GetDSNameFromPrimaryGroupId(rid: Rid): DSName
> This procedure constructs a SID s consisting of the domain SID of the DC's default domain and the given relative identifier (RID) rid, and returns the DSName of the object o for which o!objectSid = s. If no such object o exists, then this procedure will return null.
>
> AFTER ---
> 3.1.1.4.9.6   DomainOf
> procedure DomainOf(o: DSName): DSName
> This procedure returns the DSName of the domain NC to which the given DSName o belongs. It returns null upon failure.
>
> <content added>
> 3.1.1.4.9.7   GetDSNameOfEnterpriseRODCsGroup
> procedure GetDSNameOfEnterpriseReadonlyDomainControllerGroup(): DSName
> This procedure constructs a SID s consisting of the domain SID of the root domain and the relative identifier (RID) of the Enterprise Read-only Domain Controllers Group (as defined in section 7.1.1.6.14), and returns the DSName of the object o for which o! objectSid = s. If no such object o exists, this procedure returns null.
>
> 3.1.1.4.9.8   GetDSNameFromPrimaryGroupId
> procedure GetDSNameFromPrimaryGroupId(rid: Rid): DSName
> This procedure constructs a SID s consisting of the domain SID of the DC's default domain and the given relative identifier (RID) rid, and returns the DSName of the object o for which o!objectSid = s. If no such object o exists, then this procedure will return null.
>
>
> BEFORE ---
> 3.1.1.4.9.10   GetMemberships Method
> . . .
> In the following pseudocode, the SID type is specified in [MS-DRDM] section 5.126, the IsGC procedure is specified in [MS-DRDM] section 5.67, and the DefaultNC procedure is specified in [MS-DRDM] section 5.20.
> . . .
> /* Get the initial result set from the graph. */
> wSet := {}
> for i := 0 to msgIn.ppDsNames.cDsNames - 1
>    u := msgIn.ppDsNames[i]
>    if u in vSet then
>      /* Get the subgraph by applying the predicate IsMatchedGroup
>       * on each element in the vertex set, plus u itself. */
>      uSet := {u} + select all v from vSet where
>           IsMatchedGroup(v, op, msgIn.pLimitingDomain^)
>      if transitive then
>        wSet := wSet + (Closure(uSet, aSet, u) - {u})
>      else
>        wSet := wSet + (Neighbors(uSet, aSet, u) - {u})
>      endif
>    endif
> endfor
> . . .
>
> AFTER ---
> 3.1.1.4.9.11   GetMemberships Method
> . . .
> In the following pseudocode, the ADS_UF_WORKSTATION_TRUST_ACCOUNT and ADS_UF_PARTIAL_SECRETS_ACCOUNT flags are specified in section 2.2.15, the userAccountControl attribute is specified in [MS-ADA3] section 2.341, the SID type is specified in [MS-DRDM] section 5.126, the IsGC procedure is specified in [MS-DRDM] section 5.67, and the DefaultNC procedure is specified in [MS-DRDM] section 5.20.
> . . .
> /* Get the initial result set from the graph. */
> wSet := {}
> for i := 0 to msgIn.ppDsNames.cDsNames - 1
>    u := msgIn.ppDsNames[i]
>    if u in vSet then
>      /* Get the subgraph by applying the predicate IsMatchedGroup
>       * on each element in the vertex set, plus u itself. */
>      uSet := {u} + select all v from vSet where
>           IsMatchedGroup(v, op, msgIn.pLimitingDomain^)
>      if transitive then
>        wSet := wSet + (Closure(uSet, aSet, u) - {u})
>      else
>        wSet := wSet + (Neighbors(uSet, aSet, u) - {u})
>      endif
>      if((u!userAccountControl&  ADS_UF_WORKSTATION_TRUST_ACCOUNT =
>             ADS_UF_WORKSTATION_TRUST_ACCOUNT) or
>          (u!userAccountControl&  ADS_UF_PARTIAL_SECRETS_ACCOUNT =
>             ADS_UF_PARTIAL_SECRETS_ACCOUNT))
>
>          wSet := wSet + GetDSNameOfEnterpriseRODCsGroup()
>      endif
>    endif
> endfor
> . . .
>
> Thanks!
>
> Hongwei
>
>
> -----Original Message-----
> From: Matthias Dieter Wallnöfer [mailto:mdw at samba.org]
> Sent: Wednesday, September 22, 2010 7:42 AM
> To: Hongwei Sun
> Cc: cifs-protocol at samba.org; MSSolve Case Email
> Subject: Re: [REG:110091558099846] RE: Incompleteness in MS-SAMR section 3.1.1.8.1 objectClass
>
> Okay!
>
> Greets,
> Matthias Wallnöfer
>
> Hongwei Sun wrote:
>    
>> Matthias,
>>
>>     Thanks for raising this issue with us.  First, We will add the missing definitions for UF_PARTIAL_SECRETS_ACCOUNT (0x4000000) to 2.2.1.13 MS-SAMR, USER_PARTIAL_SECRETS_ACCOUNT (0x00100000) to 2.2.1.12 MS-SAMR and DOMAIN_GROUP_RID_READONLY_DCS(0x00000209) to 2.2.1.14 MS-SAMR.   In 3.1.1.8.1 MS-SAMR, we will add the following entry to the table in item 4 showing that if userAccountContol has bits UF_WORKSTATION_TRUST_ACCOUNT&   UF_PARTIAL_SECRETS_ACCOUNT , the primaryGroupId attribute MUST be updated with DOMAIN_GROUP_RID_READONLY_CONTROLLERS.
>>
>>     We are in the process to update the document. The changes will appear in the future release of the document.  Please let us know if you have any further question.  If not, I will consider this issue resolved.
>>
>> Thanks!
>>
>> Hongwei
>>
>>      
>
>

More information about the cifs-protocol mailing list