[cifs-protocol] [REG:111020105939834] server behavior with dirsync control when the search base is not a root of a nc

Bryan Burgin bburgin at microsoft.com
Sat Mar 5 08:33:09 MST 2011 

Yes.  I sent subsequent mail with the change I recommended, copied below.

Thank you for your patience.

Bryan

Matthieu,

To close this out, I filed a request with the owners of [MS-ADTS] recommending the following Windows Behavior Note:

At the text in 3.1.1.3.4.1.3   LDAP_SERVER_DIRSYNC_OID "If the base of the search is not the root of an NC, the server will return the error insufficientAccessRights / <unrestricted>. " add <WBN>

<WBN> Windows will return insufficientAccessRights if the base of the search is not the root of an NC and LDAP_DIRSYNC_OBJECT_SECURITY is not set.

Bryan

-----Original Message-----
From: Matthieu Patou [mailto:mat at samba.org] 
Sent: Saturday, March 05, 2011 6:58 AM
To: Bryan Burgin
Cc: pfif at tridgell.net; cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: [REG:111020105939834] server behavior with dirsync control when the search base is not a root of a nc

Hello Bryan,


> Matthieu,
>
> I verified my hypothesis.  In both cases (with and without LDAP_DIRSYNC_OBJECT_SECURITY) the call is handled in lsass.exe at ntdsai.dll!LDAP_CONN::SearchRequest().  For reference: my testing was using Server 2008 R2 (RTM, not SP1).
>
> If LDAP_DIRSYNC_OBJECT_SECURITY is absent, we call into code that checks that the client has appropriate rights.  That call fails with ERROR_DS_DRA_ACCESS_DENIED 8453 (0x2105).  That failure causes LDAP_CONN::SearchRequest() to stop there and return insufficientAccessRights (0x32/50d).
>
> Deeper down, reason the access check fails with ERROR_DS_DRA_ACCESS_DENIED 8453 (0x2105) is that a sub-check discovers that we are not at the root of the NC and returns 8440 (0x20f8) ERROR_DS_DRA_BAD_NC "The naming context specified for this replication operation is invalid".
>
> When LDAP_DIRSYNC_OBJECT_SECURITY is present, we don't do this extra security "safety" check and skip all of the code mentioned above.  We, then, fall into the next check that ultimately returns unwillingToPerform when it discovers the base of the search is not the root of the NC.
Ok, does this means that you'll update the documentation to indicate this behavior (with a behavior note for instance ?).

--
Matthieu Patou

Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary

More information about the cifs-protocol mailing list