[cifs-protocol] [REG:114112412079949] Is MS-ADTS DL_DRSGetMemberships correct for workstation trust accounts?
Obaid Farooqi
obaidf at microsoft.com
Tue Dec 2 16:06:47 MST 2014
Hi Andrew:
As per MS-DRSR, section "4.1.8.2.4 GetDSNameOfEnterpriseRODCsGroup", the procedure GetDSNameOfEnterpriseRODCsGroup is going to return an object whose Sid is <domain SID>-498. This SID is for the group object CN=Enterprise Read-Only Domain Controllers.
So the following snippet in effect will add the DSName of the above object to the wSet if u object happens to be a workstation or an RODC. The workstation object is not added to set.
if((u!userAccountControl & ADS_UF_WORKSTATION_TRUST_ACCOUNT =ADS_UF_WORKSTATION_TRUST_ACCOUNT) or
(u!userAccountControl & ADS_UF_PARTIAL_SECRETS_ACCOUNT =ADS_UF_PARTIAL_SECRETS_ACCOUNT))
wSet := wSet + GetDSNameOfEnterpriseRODCsGroup()
endif
Please let me know if I did not understand your question correctly or the above explanation does not answer your question.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
-----Original Message-----
From: "Obaid Farooqi" <obaidf at microsoft.com>
Sent: Tuesday, November 25, 2014 11:11 PM
To: "Andrew Bartlett" <abartlet at samba.org>
Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve Case Email" <casemail at microsoft.com>
Subject: [REG:114112412079949] Is MS-ADTS DL_DRSGetMemberships correct for workstation trust accounts?
Hi Andrew:
I'll help you with this issue and would be in touch as soon as I have an answer.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
-----Original Message-----
From: "Vilmos Foltenyi" <vilmosf at microsoft.com>
Sent: Sunday, November 23, 2014 11:28 PM
To: "Andrew Bartlett" <abartlet at samba.org>
Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve Case Email" <casemail at microsoft.com>
Subject: [REG:114112412079949] Is MS-ADTS DL_DRSGetMemberships correct for workstation trust accounts?
[dochelp to Bcc, SR # to Subject]
Hi Andrew,
Thank you for your question. I created the case SR 114112412079949 to track this issue with the Protocol Documentation support team. An engineer from our team will contact you soon via e-mail to begin working with you.
Regards,
Vilmos Foltenyi - MSFT
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Sunday, November 23, 2014 20:32
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: Is MS-ADTS DL_DRSGetMemberships correct for workstation trust accounts?
In MS-ADTS 4.1.8.3 Server Behavior of the IDL_DRSGetMemberships Method
It has this in the psudocode:
if((u!userAccountControl & ADS_UF_WORKSTATION_TRUST_ACCOUNT =
ADS_UF_WORKSTATION_TRUST_ACCOUNT) or
(u!userAccountControl & ADS_UF_PARTIAL_SECRETS_ACCOUNT =
ADS_UF_PARTIAL_SECRETS_ACCOUNT))
wSet := wSet + GetDSNameOfEnterpriseRODCsGroup() endif
I'm curious about the 'or' in the middle of the if statement. Shoudn't it be an 'and', because you only want to put the object in the EnterpriseRODCs Group if it is both a workstation trust account, and a partial secrets account (otherwise, all workstations would be in it).
Thanks,
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list