[cifs-protocol] [REG:111020105939834] server behavior with dirsync control when the search base is not a root of a nc
bburgin at microsoft.com
Sat Mar 5 08:33:09 MST 2011
Yes. I sent subsequent mail with the change I recommended, copied below.
Thank you for your patience.
To close this out, I filed a request with the owners of [MS-ADTS] recommending the following Windows Behavior Note:
At the text in 188.8.131.52.4.1.3 LDAP_SERVER_DIRSYNC_OID "If the base of the search is not the root of an NC, the server will return the error insufficientAccessRights / <unrestricted>. " add <WBN>
<WBN> Windows will return insufficientAccessRights if the base of the search is not the root of an NC and LDAP_DIRSYNC_OBJECT_SECURITY is not set.
From: Matthieu Patou [mailto:mat at samba.org]
Sent: Saturday, March 05, 2011 6:58 AM
To: Bryan Burgin
Cc: pfif at tridgell.net; cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: [REG:111020105939834] server behavior with dirsync control when the search base is not a root of a nc
> I verified my hypothesis. In both cases (with and without LDAP_DIRSYNC_OBJECT_SECURITY) the call is handled in lsass.exe at ntdsai.dll!LDAP_CONN::SearchRequest(). For reference: my testing was using Server 2008 R2 (RTM, not SP1).
> If LDAP_DIRSYNC_OBJECT_SECURITY is absent, we call into code that checks that the client has appropriate rights. That call fails with ERROR_DS_DRA_ACCESS_DENIED 8453 (0x2105). That failure causes LDAP_CONN::SearchRequest() to stop there and return insufficientAccessRights (0x32/50d).
> Deeper down, reason the access check fails with ERROR_DS_DRA_ACCESS_DENIED 8453 (0x2105) is that a sub-check discovers that we are not at the root of the NC and returns 8440 (0x20f8) ERROR_DS_DRA_BAD_NC "The naming context specified for this replication operation is invalid".
> When LDAP_DIRSYNC_OBJECT_SECURITY is present, we don't do this extra security "safety" check and skip all of the code mentioned above. We, then, fall into the next check that ultimately returns unwillingToPerform when it discovers the base of the search is not the root of the NC.
Ok, does this means that you'll update the documentation to indicate this behavior (with a behavior note for instance ?).
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
More information about the cifs-protocol