[cifs-protocol] [REG:111020105939834] server behavior with dirsync control when the search base is not a root of a nc

Bryan Burgin bburgin at microsoft.com
Fri Mar 4 12:01:40 MST 2011 

Matthieu,

To close this out, I filed a request with the owners of [MS-ADTS] recommending the following Windows Behavior Note:

At the text in 3.1.1.3.4.1.3   LDAP_SERVER_DIRSYNC_OID "If the base of the search is not the root of an NC, the server will return the error insufficientAccessRights / <unrestricted>. " add <WBN>

<WBN> Windows will return insufficientAccessRights if the base of the search is not the root of an NC and LDAP_DIRSYNC_OBJECT_SECURITY is not set.

Bryan

-----Original Message-----
From: Bryan Burgin 
Sent: Thursday, March 03, 2011 4:04 PM
To: 'mat at samba.org'; 'pfif at tridgell.net'; 'cifs-protocol at samba.org'
Cc: MSSolve Case Email
Subject: RE: [REG:111020105939834] server behavior with dirsync control when the search base is not a root of a nc

Matthieu,

I verified my hypothesis.  In both cases (with and without LDAP_DIRSYNC_OBJECT_SECURITY) the call is handled in lsass.exe at ntdsai.dll!LDAP_CONN::SearchRequest().  For reference: my testing was using Server 2008 R2 (RTM, not SP1).

If LDAP_DIRSYNC_OBJECT_SECURITY is absent, we call into code that checks that the client has appropriate rights.  That call fails with ERROR_DS_DRA_ACCESS_DENIED 8453 (0x2105).  That failure causes LDAP_CONN::SearchRequest() to stop there and return insufficientAccessRights (0x32/50d).

Deeper down, reason the access check fails with ERROR_DS_DRA_ACCESS_DENIED 8453 (0x2105) is that a sub-check discovers that we are not at the root of the NC and returns 8440 (0x20f8) ERROR_DS_DRA_BAD_NC "The naming context specified for this replication operation is invalid".

When LDAP_DIRSYNC_OBJECT_SECURITY is present, we don't do this extra security "safety" check and skip all of the code mentioned above.  We, then, fall into the next check that ultimately returns unwillingToPerform when it discovers the base of the search is not the root of the NC.

Bryan

-----Original Message-----
From: Bryan Burgin 
Sent: Tuesday, March 01, 2011 2:58 PM
To: 'mat at samba.org'; pfif at tridgell.net; cifs-protocol at samba.org
Cc: MSSolve Case Email
Subject: [REG:111020105939834] server behavior with dirsync control when the search base is not a root of a nc

Hi, Matthieu,

Just a quick note that I'm closing in on this issue.  From a review of the code that is servicing this request, I believe the issue is that there is a cascade of checks that we do and in the case where you do not provide LDAP_DIRSYNC_OBJECT_SECURITY, we fail a preliminary safety check with LDAP_INSUFFICIENT_RIGHTS (0x32/50d).  If we pass that check, we then get to the code that is specific to 3.1.1.3.4.1.3LDAP_SERVER_DIRSYNC_OID text "If the base of the search is not the root of an NC, the server will return the error unwillingToPerform".  I have a Windows-to-Windows environment set up and a test program that I am in the process of using to confirm this hypothesis.

Bryan


-----Original Message-----
From: Matthieu Patou [mailto:mat at samba.org] 
Sent: Monday, January 31, 2011 1:43 PM
To: Interoperability Documentation Help; pfif at tridgell.net; cifs-protocol at samba.org
Subject: server behavior with dirsync control when the search base is not a root of a nc

Dear doc team,

I have some question related to the behavior of w2k8r2 vs what is described in the docuementation.

MS-ADTS.pdf at paragraph "3.1.1.3.4.1.3LDAP_SERVER_DIRSYNC_OID" says:

"If the base of the search is not the root of an NC, the server will return the error unwillingToPerform ([RFC2251] section 4.1.10). If the search scope is not subtree scope, the server will treat the search as if subtree scope was specified."


If I do a search with ldbsearch with LDAP_DIRSYNC_OBJECT_SECURITY not set  like this on the base "CN=Users,DC=w2k8r2,DC=home,dc=matws,dc=net":
mat at ares:/usr/local/src/samba4/source4$ ./bin/ldbsearch --controls="dirsync:1:0:1000" -H ldap://172.16.100.25 -U
administrator%totoTATA123 '(samaccountname=simple)' -b "CN=Users,DC=w2k8r2,DC=home,dc=matws,dc=net"

I get
search error - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -
<00002105: LdapErr: DSID-0C0908C0, comment: Error processing control, data 0, v1db0> <>

I suppose I should have unwilling_to_perform


If I set the LDAP_DIRSYNC_OBJECT_SECURITY flag with the same user and the same base:
mat at ares:/usr/local/src/samba4/source4$ ./bin/ldbsearch --controls="dirsync:1:1:1000" -H ldap://172.16.100.25 -U
administrator%totoTATA123 '(samaccountname=simple)' -b "CN=Users,DC=w2k8r2,DC=home,dc=matws,dc=net"

Then I correctly get the "unwilling_to_perform" error.
search error - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <000020F7: 
LdapErr: DSID-0C0908F3, comment: Error processing control, data 0, v1db0> <>


Can you explain if I missed something in the doc or if the doc is not accurate ?

Regards
Matthieu.


--
Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary

More information about the cifs-protocol mailing list