[cifs-protocol] [REG113100710843173]: Question about LDAP delete operation on Administrator and other built-in accounts
edgaro at microsoft.com
Tue Oct 8 16:13:20 MDT 2013
It was nice working with the team at the IO lab. Please find the references and explanation as follows.
Your observation is correct. The restriction is relevant as specified in MS-ADTS. The Delete Operation constraints ([MS-ADTS] 22.214.171.124.5) has a clause on SAM-specific objects.
After reviewing the source code and documents, I have opened a technical document issue to request further details regarding the 1000 value. Well-known accounts have a RID value that is less than 1000. Consequently SAMR uses 1000 as the minimum domain RID for rIDAvailablePool.
The builtin account RID check applies to SamrDeleteAlias(), SamrDeleteGroup() and SamrDeleteUser.
Let's me know whether this helps!
126.96.36.199.5 Delete Operation
· If the object being deleted is a SAM-specific object (section 188.8.131.52.2.3<http://msdn.microsoft.com/en-us/library/cc223445.aspx>), additional constraints apply (see [MS-SAMR] section 184.108.40.206<http://msdn.microsoft.com/en-us/library/cc245800.aspx>).
220.127.116.11.2.3 Special Classes and Attributes
This section defines three sets of object classes: LSA-specific object classes, SAM-specific object classes, and schema object classes. These sets are mentioned elsewhere in the specification, because special processing is applied to instances of these classes.
Each set includes both the specific object classes mentioned here and any subclasses of these object classes.
· LSA-specific object classes: secret<http://msdn.microsoft.com/en-us/library/cc221792.aspx>, trustedDomain<http://msdn.microsoft.com/en-us/library/cc221820.aspx> (originating updates only, in AD DS only).
· SAM-specific object classes: group<http://msdn.microsoft.com/en-us/library/cc221861.aspx>, samDomain<http://msdn.microsoft.com/en-us/library/cc221779.aspx>, samServer<http://msdn.microsoft.com/en-us/library/cc221789.aspx>, user<http://msdn.microsoft.com/en-us/library/cc221822.aspx> (originating updates only, in AD DS only).
· Schema object classes: attributeSchema<http://msdn.microsoft.com/en-us/library/cc221662.aspx>, classSchema<http://msdn.microsoft.com/en-us/library/cc221755.aspx> (originating and replicated updates).
This section also defines one set of attributes: foreign principal object (FPO)<http://msdn.microsoft.com/en-us/library/b645c125-a7da-4097-84a1-2fa7cea07714#fpo>-enabled attributes. This set is mentioned elsewhere in the specification, because special processing is applied to instances of these attributes.
· FPO-enabled attributes: member<http://msdn.microsoft.com/en-us/library/cc220525.aspx>, msDS-MembersForAzRole<http://msdn.microsoft.com/en-us/library/cc220305.aspx>, msDS-NeverRevealGroup<http://msdn.microsoft.com/en-us/library/cc220317.aspx>, msDS-NonMembers<http://msdn.microsoft.com/en-us/library/cc220319.aspx>, msDS-RevealOnDemandGroup<http://msdn.microsoft.com/en-us/library/cc220364.aspx>, msDS-ServiceAccount<http://msdn.microsoft.com/en-us/library/cc221226.aspx>.
18.104.22.168 Delete Pattern
22.214.171.124.1 SamrDeleteGroup (Opnum 23)
5. If the RID of G's objectSid attribute is less than 1000, an error MUST be returned.
126.96.36.199.2 SamrDeleteAlias (Opnum 30)
5. If the RID of A's objectSid attribute value is less than 1000, an error MUST be returned.
188.8.131.52.3 SamrDeleteUser (Opnum 35)
5. If the RID of U's objectSid attribute value is less than 1000, an error MUST be returned.
/* Locate or create the RID Set object for the client DC. */
serverObj := clientDsaObj!parent
clientComputerObj := serverObj!serverReference
if clientComputerObj!rIDSetReference = null then
clientRidSetObj := An implementation defined DSName in the
default NC such that not ObjExists(clientRidSetObj)
Create object with DSName clientRidSetObject such that
rIDSet in clientRidSetObject!objectClass
/* Windows Behavior: Windows sets clientRidSetObj to be a child
* of clientComputerObj. */
clientComputerObj!rIDSetReference := clientRidSetObj
clientRidSetObj := clientComputerObj!rIDSetReference
/* Get the current RID allocation for the client DC. */
ridAllocLoHi := clientRidSetObj!rIDAllocationPool
ridAvailHi := most significant 32 bits of ridAvailLoHi
ridReqHi := most significant 32 bits of msgIn.liFsmoInfo
if ridAllocLoHi = 0 or ridAvailHi = 0 or ridReqHi ≥ ridAvailHi then
/* The client DC has indeed exhausted its current allocation,
* according to our records. */
/* Get the range of RIDs that have not yet been allocated to any
* DC. */
ridAvailLoHi := fsmoObj!rIDAvailablePool
ridAvailLo := least significant 32 bits of ridAvailLoHi
ridAvailHi := most significant 32 bits of ridAvailLoHi
/* Select a subset of the unallocated RIDs and allocate them to
* the client. */
Assign a value to ridAllocHi according to any implementation-
defined policy such that ridAvailLo < ridAllocHi < ridAvailHi.
/* Windows Behavior: By default, Windows sets ridAllocHi to
* ridAvailLo + 500. */
ridAllocLoHi := ridAvailLo as least significant 32 bits and
ridAllocHi as most significant 32 bits
ridAvailLo := ridAllocHi + 1
ridAvailLoHi := ridAvailLo as least significant 32 bits and
ridAvailHi as most significant 32 bits
fsmoObj!rIDAvailablePool := ridAvailLoHi
clientRidSetObj!rIDAllocationPool := ridAllocLoHi
msgOut.liFsmoInfo := ridAllocLoHi
From: Edgar Olougouna
Sent: Monday, October 07, 2013 11:37 AM
To: Nadezhda Ivanova
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: RE: [REG113100710843173]: Question about LDAP delete operation on Administrator and other built-in accounts
I will investigate this and follow-up.
From: Bryan Burgin
Sent: Monday, October 07, 2013 11:25 AM
To: Nadezhda Ivanova
Cc: cifs-protocol at samba.org<mailto:cifs-protocol at samba.org>; MSSolve Case Email
Subject: [REG113100710843173]: Question about LDAP delete operation on Administrator and other built-in accounts
Thank you for your question. We created SR 113100710843173 to track this issue. An engineer from the Protocols will contact you soon.
From: nivanova.samba at gmail.com<mailto:nivanova.samba at gmail.com> [mailto:nivanova.samba at gmail.com] On Behalf Of Nadezhda Ivanova
Sent: Monday, October 7, 2013 5:55 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org<mailto:cifs-protocol at samba.org>
Subject: Question about LDAP delete operation on Administrator and other built-in accounts
At the I/O Lab we asked about the restrictions that apply on performing a delete operation on built-in accounts. To explain the correct behavior, Edgar kindly supplied the following references:
184.108.40.206.5.1.1 Tombstone Requirements
A protected object may not be deleted and transformed into a tombstone (see Protected Objects (section <http://msdn.microsoft.com/en-us/library/cc223483.aspx> 220.127.116.11.5.3<http://msdn.microsoft.com/en-us/library/cc223483.aspx>)<http://msdn.microsoft.com/en-us/library/cc223483.aspx>).
18.104.22.168.5.3 Protected Objects
22.214.171.124.1.2 Protected Objects
o well-known security principals:
* of class user<http://msdn.microsoft.com/en-us/library/cc221822.aspx> with RID = DOMAIN_USER_RID_ADMIN
However, some testing revealed that the last reference which we hoped would explain why the Administrator should not be deleted, appears to not be relevant to the case. Delete operation on any built-in account or predefined domain rid returns LDAP error 80, and the group membership does not really affect the deletion of users or groups.
So after some digging, I found this:
Namely: If the RID of U's objectSid attribute value is less than 1000, an error MUST be returned.
Could you please confirm that this is indeed the only restriction relevant to the case?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cifs-protocol