[cifs-protocol] [REG:111020102754615] RE: behavior of windows with/without the DS-Replication-Get-Changes-In-Filtered-Set right
tomjebo at microsoft.com
Mon Jan 31 17:57:58 MST 2011
I've created case 111020102754615 and one of the Open Specifications team will be contacting you shortly to start working with you on this problem.
Microsoft Open Specifications
From: Matthieu Patou [mailto:mat at samba.org]
Sent: Monday, January 31, 2011 5:35 PM
To: pfif at tridgell.net; Interoperability Documentation Help; cifs-protocol at samba.org
Subject: behavior of windows with/without the DS-Replication-Get-Changes-In-Filtered-Set right
Dear doc team,
"If the flag is not specified, the server MUST do the following:
If the server is running Windows Server(r) 2008 operating system or Windows Server(r) 2008 R2 operating system and the client has requested any attributes in the filtered attribute set, the server checks that the client has the DS-Replication-Get-Changes-In-Filtered-Set control access right (section 126.96.36.199.7.71
or else returns the /insufficientAccessRights/ error to the client."
The flag that we are talking about is LDAP_SERVER_DIRSYNC_OID.
I either have some problems to understand the meaning of "requested any attributes in the filtered attribute set" or I have problems requesting them or something else as I'm unable to test this particular case.
In w2k8r2 I created a user and granted him DS-Replication-Get-Changes, but not DS-Replication-Get-Changes-In-Filtered-Set so I'm expecting that when I add the filter "(samaccountname=ad*)", in the ldap request, that the system will reject my request but it's not so I'm wondering what is exactly "the filtered attribute set" ? Can you clarify this point ?
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
More information about the cifs-protocol