[cifs-protocol] server behavior with dirsync control when the search base is not a root of a nc

[Matthieu Patou]

Dear doc team,

I have some question related to the behavior of w2k8r2 vs what is 
described in the docuementation.

MS-ADTS.pdf at paragraph "3.1.1.3.4.1.3LDAP_SERVER_DIRSYNC_OID" says:

"If the base of the search is not the root of an NC, the server will 
return the error unwillingToPerform
([RFC2251] section 4.1.10). If the search scope is not subtree scope, 
the server will treat the search
as if subtree scope was specified."


If I do a search with ldbsearch with LDAP_DIRSYNC_OBJECT_SECURITY not 
set  like this on the base "CN=Users,DC=w2k8r2,DC=home,dc=matws,dc=net":
mat at ares:/usr/local/src/samba4/source4$ ./bin/ldbsearch 
--controls="dirsync:1:0:1000" -H ldap://172.16.100.25 -U 
administrator%totoTATA123 '(samaccountname=simple)' -b 
"CN=Users,DC=w2k8r2,DC=home,dc=matws,dc=net"

I get
search error - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - 
<00002105: LdapErr: DSID-0C0908C0, comment: Error processing control, 
data 0, v1db0> <>

I suppose I should have unwilling_to_perform


If I set the LDAP_DIRSYNC_OBJECT_SECURITY flag with the same user and 
the same base:
mat at ares:/usr/local/src/samba4/source4$ ./bin/ldbsearch 
--controls="dirsync:1:1:1000" -H ldap://172.16.100.25 -U 
administrator%totoTATA123 '(samaccountname=simple)' -b 
"CN=Users,DC=w2k8r2,DC=home,dc=matws,dc=net"

Then I correctly get the "unwilling_to_perform" error.
search error - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <000020F7: 
LdapErr: DSID-0C0908F3, comment: Error processing control, data 0, v1db0> <>


Can you explain if I missed something in the doc or if the doc is not 
accurate ?

Regards
Matthieu.


-- 
Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary