[cifs-protocol] [REG:111020105939834] server behavior with dirsync control when the search base is not a root of a nc
Matthieu Patou
mat at samba.org
Sat Mar 5 07:57:39 MST 2011
Hello Bryan,
> Matthieu,
>
> I verified my hypothesis. In both cases (with and without LDAP_DIRSYNC_OBJECT_SECURITY) the call is handled in lsass.exe at ntdsai.dll!LDAP_CONN::SearchRequest(). For reference: my testing was using Server 2008 R2 (RTM, not SP1).
>
> If LDAP_DIRSYNC_OBJECT_SECURITY is absent, we call into code that checks that the client has appropriate rights. That call fails with ERROR_DS_DRA_ACCESS_DENIED 8453 (0x2105). That failure causes LDAP_CONN::SearchRequest() to stop there and return insufficientAccessRights (0x32/50d).
>
> Deeper down, reason the access check fails with ERROR_DS_DRA_ACCESS_DENIED 8453 (0x2105) is that a sub-check discovers that we are not at the root of the NC and returns 8440 (0x20f8) ERROR_DS_DRA_BAD_NC "The naming context specified for this replication operation is invalid".
>
> When LDAP_DIRSYNC_OBJECT_SECURITY is present, we don't do this extra security "safety" check and skip all of the code mentioned above. We, then, fall into the next check that ultimately returns unwillingToPerform when it discovers the base of the search is not the root of the NC.
Ok, does this means that you'll update the documentation to indicate
this behavior (with a behavior note for instance ?).
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
More information about the cifs-protocol
mailing list