[cifs-protocol] [REG:111080976529107] RE: Behavior explanation on subtree delete control behavior with iscriticalsystemobject
hongweis at microsoft.com
Mon Aug 22 10:52:32 MDT 2011
Yes, you are right. Additionally, just as documented in 126.96.36.199.5.5 MS-ADTS, if the object being deleted is a SAM specific object , additional constraint will apply as per MS-SAMR 188.8.131.52.
From: Matthieu Patou [mailto:mat at samba.org]
Sent: Saturday, August 20, 2011 10:13 AM
To: Hongwei Sun
Cc: pfif at tridgell.net; cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: [REG:111080976529107] RE: Behavior explanation on subtree delete control behavior with iscriticalsystemobject
I'm not sure I have 100% understood, please allow me to try to reformulate.
So the basic rule for isCriticalSystemObject is correct when you use the subtree delete control, but if the object has one of its objectclass in the SAM specific object list (184.108.40.206.2.3) then isCriticalSystemObject is not checked am I right ? Or there is more constraint to check ?
On 20/08/2011 00:52, Hongwei Sun wrote:
> I finished the investigation on this behavior. As per MS-ADTS 220.127.116.11.7.2 , when a tree deletion is performed , every object in the tree will be checked to see if it has isCriticalSystemObject set to TRUE, including the root node on which the delete operation is performed. But there is an exception if the root object is a SAM specific objects(18.104.22.168.2.3 MS-ADTS). Its deletion is done through SAM manger and isCriticalSystemObject attribute is not checked. The root node of the tree delete in your case is CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net ,which is a SAM object with user class. Therefore the tree deletion is performed without any error.
> I performed another test in which I tried to do a tree delete on
> an object with isCriticalSystemObject set to TRUE, but the object
> itself is not a SAM object, I received an error as expected. The
> object I tried to delete is cn=ForeignSecurityPricipals,
> I will file a request for this behavior to be documented in the constraint of tree deletion section (22.214.171.124.5.7.2 MS-ADTS).
> -----Original Message-----
> From: Matthieu Patou [mailto:mat at samba.org]
> Sent: Friday, August 12, 2011 4:19 PM
> To: Hongwei Sun
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: Re: Behavior explanation on subtree delete control behavior
> with iscriticalsystemobject
> On 12/08/2011 07:56, Hongwei Sun wrote:
>> Hi, Matthieu,
>> I have trouble to decrypt the LDAP packets in the trace. Have you used Wireshark to do that?
> With the keytab provided you do
> wireshark -K path_to_keytab trace.pcap,
> Wireshark must be configurated to decrypt krb5 blobs (see https://wiki.samba.org/index.php/Wireshark_Keytab).
>> Did the packet 1848 define a delete operation on record #1 with LDAP_SERVER_TREE_DELETE_OID specified? Have you checked that both records are not in the AD any more after tree deletion ?
> Yes check the attached screenshot.
> And yes all the objects are removed.
> I've the feeling that the isCriticalObject rule apply only for the subobjects, that is to say if I CN=foo,CN=bar,DC=domain,DC=tld with isCriticalObject then if I try to use the subtree on CN=bar,DC=domain,DC=tld it should fail. But if the isCriticalObject is only on CN=bar,DC=domain,DC=tld then the use of the deltree is permited.
>> -----Original Message-----
>> From: Matthieu Patou [mailto:mat at samba.org]
>> Sent: Tuesday, August 09, 2011 4:08 PM
>> To: Interoperability Documentation Help; pfif at tridgell.net;
>> cifs-protocol at samba.org
>> Subject: Behavior explanation on subtree delete control behavior with
>> I found an interesting problem
>> In MS-ADTS it is said:
>> 126.96.36.199.5.7.2 Tree-delete Constraints
>> All regular delete operation constraints apply on each object being deleted.
>> The tree-delete operation may not be applied to an NC root.
>> Objects with isCriticalSystemObject attribute equal to true may not be deleted by the tree-delete operation (this also applies to objects in the subtree being deleted).
>> This constraint is checked
>> object-by-object, and deletion stops if some deletion would violate this constraint. Because, as explained in the next section, deleted objects never have children, the result after deletion stops due to this constraint is a tree. The resultant tree may not be the same as the original tree because some objects may have been deleted prior to the failure.
>> My understanding is that if you try to deleted an object that has the isCriticalSystemObject attribute set to TRUE or one of the object bellow in its tree then the operation should failed.
>> Did I get the meaning right ?
>> If so can you explain me how with this configuration:
>> ./bin/ldbsearch -H ldap://172.16.100.27 -U administrator%totoTATA321 -b "CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net"
>> # record 1
>> dn: CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net
>> isCriticalSystemObject: TRUE
>> # record 2
>> dn: CN=RID Set,CN=ARES,OU=Domain
>> The delete with subtree control on the following trace at packet 1848 is working.
>> Matthieu Patou
>> Samba Team http://samba.org
>> Private repo http://git.samba.org/?p=mat/samba.git;a=summary
> Matthieu Patou
> Samba Team http://samba.org
> Private repo http://git.samba.org/?p=mat/samba.git;a=summary
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
More information about the cifs-protocol