[cifs-protocol] [REG:111020102754615] RE: behavior of windows with/without the DS-Replication-Get-Changes-In-Filtered-Set right

Tom Jebo tomjebo at microsoft.com
Mon Jan 31 17:57:58 MST 2011

Hi Matthieu,

I've created case 111020102754615 and one of the Open Specifications team will be contacting you shortly to start working with you on this problem.  

Best regards,
Tom Jebo
Escalation Engineer
Microsoft Open Specifications

-----Original Message-----
From: Matthieu Patou [mailto:mat at samba.org] 
Sent: Monday, January 31, 2011 5:35 PM
To: pfif at tridgell.net; Interoperability Documentation Help; cifs-protocol at samba.org
Subject: behavior of windows with/without the DS-Replication-Get-Changes-In-Filtered-Set right

Dear doc team,

This page,
http://msdn.microsoft.com/en-us/library/cc223347%28v=prot.10%29.aspx, says:

"If the flag is not specified, the server MUST do the following:
If the server is running Windows Server(r) 2008 operating system or Windows Server(r) 2008 R2 operating system and the client has requested any attributes in the filtered attribute set, the server checks that the client has the DS-Replication-Get-Changes-In-Filtered-Set control access right (section
or else returns the /insufficientAccessRights/ error to the client."

The flag that we are talking about is LDAP_SERVER_DIRSYNC_OID.
I either have some problems to understand the meaning of "requested any attributes in the filtered attribute set" or I have problems requesting them or something else as I'm unable to test this particular case.

In w2k8r2 I created a user and granted him DS-Replication-Get-Changes, but not DS-Replication-Get-Changes-In-Filtered-Set so I'm expecting that when I add the filter "(samaccountname=ad*)", in the ldap request, that the system will reject my request but it's not so I'm wondering what is exactly "the filtered attribute set" ? Can you clarify this point ?


Matthieu Patou.

Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary

More information about the cifs-protocol mailing list