[cifs-protocol] [REG:114102711953179] Re: Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]
Obaid Farooqi
obaidf at microsoft.com
Wed Nov 19 12:30:45 MST 2014
Hi Nadiya:
I tried the steps in the kb article and that did enable me to display the objects in the “Deleted Objects” containers for a non-admin user.
I’ll file a bug against MS-ADTS to include the “LIST CONTENTS” and “READ PROPERTY” permissions on CN=Deleted Objects container to undelete a deleted object.
I am working to see how can I provide you with instructions to see the security descriptor of the deleted objects container.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
From: nivanova.samba at gmail.com [mailto:nivanova.samba at gmail.com] On Behalf Of Nadezhda Ivanova
Sent: Wednesday, November 19, 2014 10:44 AM
To: Obaid Farooqi
Cc: Nadezhda Ivanova; MSSolve Case Email; cifs-protocol at samba.org
Subject: Re: [REG:114102711953179] Re: Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]
Hi Obaid,
I was not able to give a LC permission to a general user via LDAP, because it appears that even Administrator does not have permissions to see or modify the security descriptor on Deleted Objects.
The only way to do it it seems is described here:
http://support.microsoft.com/kb/892806
and I haven't tried it.
This is the reason I am asking - apart from clarifying the required permissions - if you can provide me with an example of what the SD on Deleted Objects would look like on a fresh installation, preferably in sddl format, or advise me on the best way to "see" it - the ADAM tool does not seem to provide such functionality. The way it list the permissions is not specific enough for me to ensure that samba has similar behavior.
Thank you for all your help on this matter!
Best Regards,
Nadya
On Wed, Nov 19, 2014 at 6:10 PM, Obaid Farooqi <obaidf at microsoft.com<mailto:obaidf at microsoft.com>> wrote:
> Hi Nadiya:
> Still working on it. I am able successfully repro this issue and getting closer to a resolution.
> BTW, were you able to list the deleted objects for a general user after you gave him list children permission on deleted object container?
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
>
> -----Original Message-----
> From: "Nadezhda Ivanova" <nivanova at samba.org<mailto:nivanova at samba.org>>
> Sent: Monday, November 10, 2014 2:44 PM
> To: "Obaid Farooqi" <obaidf at microsoft.com<mailto:obaidf at microsoft.com>>
> Cc: "Nadezhda Ivanova" <nivanova at samba.org<mailto:nivanova at samba.org>>; "cifs-protocol at samba.org<mailto:cifs-protocol at samba.org>" <cifs-protocol at samba.org<mailto:cifs-protocol at samba.org>>; "MSSolve Case Email" <casemail at microsoft.com<mailto:casemail at microsoft.com>>
> Subject: [REG:114102711953179] Re: Undelete operation security considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]
>
> Hi Obaid,
> I used the control, and it did not help. After all, without it even Admin would not be able to do the undelete :).
> I attempted the exact same thing you describe, but even in ldp the general user was not able to list the contents of Deleted objects, control or not. It worked if I bind as Administrator, and that's why I assume it is an issue with the List Children permissions granted on Deleted Objects container.
>
> Regards,
> Nadya
>
> On Mon, Nov 10, 2014 at 9:46 PM, Obaid Farooqi <obaidf at microsoft.com<mailto:obaidf at microsoft.com>>
> wrote:
>> Hi Nadiya:
>> I was wondering if the ldap control " Show Deleted Object" resolved
> your issue.
>>
>> Regards,
>> Obaid Farooqi
>> Escalation Engineer | Microsoft
>>
>> Exceeding your expectations is my highest priority. If you would
> like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
>
>>
>> -----Original Message-----
>> From: "Obaid Farooqi" <obaidf at microsoft.com<mailto:obaidf at microsoft.com>>
>> Sent: Thursday, November 6, 2014 6:03 PM
>> To: "Nadezhda Ivanova" <nivanova at samba.org<mailto:nivanova at samba.org>>
>> Cc: "cifs-protocol at samba.org<mailto:cifs-protocol at samba.org>" <cifs-protocol at samba.org<mailto:cifs-protocol at samba.org>>; "MSSolve
> Case Email" <casemail at microsoft.com<mailto:casemail at microsoft.com>>
>> Subject: [REG:114102711953179] Undelete operation security
> considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]
>
>>
>> Hi Nadiya:
>> Have you made deleted objects visible? By default, the CN=Deleted
> Objects container is not displayed. You need to make the CN=Deleted Objects container visible. Here is how to do that:
>
>>
>> To display Deleted Objects container
>> 1.Open Ldp.exe and click Options menu, then click Controls.
>> 2.In Controls dialog, expand Load Predefined pull-down menu, select
> Return deleted objects, and then click OK.
>> 3.To verify that the Deleted Objects container is displayed:
>> a.Connect and bind to the server hosting the forest root domain of
> your AD DS environment.
>> b.Click View, click Tree, and in BaseDN field, type
> DC=mydomain,DC=com (where mydomain and com is the appropriate forest root domain name of your AD DS environment).
>
>>
>> c.In the console tree, double-click the root DN and locate CN=Deleted
> Objects, DC=mydomain,DC=com container (where mydomain and com is the appropriate forest root domain name of your AD DS environment).
>
>>
>> This is an ldp.exe specific instructions but in a nutshell, By using
> the Show Deleted Object control (controlType = 1.2.840.113556.1.4.417), in conjunction with search commands, you can view Active Directory objects that have been deleted.
>
>>
>> Please let me know if it answers your question.
>>
>>
>>
>> Regards,
>> Obaid Farooqi
>> Escalation Engineer | Microsoft
>>
>> Exceeding your expectations is my highest priority. If you would
> like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
>
>>
>> -----Original Message-----
>> From: nivanova.samba at gmail.com<mailto:nivanova.samba at gmail.com> [mailto:nivanova.samba at gmail.com<mailto:nivanova.samba at gmail.com>] On
> Behalf Of Nadezhda Ivanova
>> Sent: Thursday, November 6, 2014 4:27 PM
>> To: Obaid Farooqi
>> Cc: Nadezhda Ivanova; cifs-protocol at samba.org<mailto:cifs-protocol at samba.org>; MSSolve Case Email
>> Subject: Re: [REG:114102711953179] Undelete operation security
> considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]
>
>>
>> Hi Obaid,
>> I am using win2008R2. The user is not able to perform the undelete,
> because he does not seem to have permission to list the contents of Deleted Objects, and to him, the object is non-existent. And it also appears that not even Administrator can grant LC permissions to a user on the Deleted Objects container, so that effectively makes it impossible for any user other than a member of Administrators to perform an undelete... Negative testing works, though - adding ACE's that deny the permissions specified in the docs prevent even a member of Administrators group from performing the op.
>
>>
>> Regards,
>> Nadya
>>
>> On Thu, Nov 6, 2014 at 7:54 PM, Obaid Farooqi <obaidf at microsoft.com<mailto:obaidf at microsoft.com>>
>> wrote:
>>> Hi Nadiya:
>>> Can you please send me an lsass ttt trace of the failure scenario
>> i.e. when your user has the permissions required by MS-ADTS but still
> not able to undelete? Please let me know the version of DC where you are trying to undelete the tombstone object so that I can send you appropriate binaries.
>
>>
>>>
>>> Regards,
>>> Obaid Farooqi
>>> Escalation Engineer | Microsoft
>>>
>>> Exceeding your expectations is my highest priority. If you would
>> like
>>> to provide feedback on your case you may contact my manager at nkang
>>> at Microsoft dot com
>>>
>>> -----Original Message-----
>>> From: "Obaid Farooqi" <obaidf at microsoft.com<mailto:obaidf at microsoft.com>>
>>> Sent: Monday, November 3, 2014 12:24 PM
>>> To: "Nadezhda Ivanova" <nivanova at samba.org<mailto:nivanova at samba.org>>
>>> Cc: "cifs-protocol at samba.org<mailto:cifs-protocol at samba.org>" <cifs-protocol at samba.org<mailto:cifs-protocol at samba.org>>; "MSSolve
>> Case
>>> Email" <casemail at microsoft.com<mailto:casemail at microsoft.com>>
>>> Subject: [REG:114102711953179] Undelete operation security
>>> considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]
>>>
>>> Hi Nadiya:
>>> I am still working on this issue and will be in touch as soon as I
>> have an answer.
>>>
>>> Regards,
>>> Obaid Farooqi
>>> Escalation Engineer | Microsoft
>>>
>>> Exceeding your expectations is my highest priority. If you would
>> like
>>> to provide feedback on your case you may contact my manager at nkang
>>> at Microsoft dot com
>>>
>>> -----Original Message-----
>>> From: Obaid Farooqi
>>> Sent: Tuesday, October 28, 2014 10:14 AM
>>> To: 'Nadezhda Ivanova'
>>> Cc: 'cifs-protocol at samba.org<mailto:cifs-protocol at samba.org>'; MSSolve Case Email
>>> Subject: RE: [REG:114102711953179] Undelete operation security
>>> considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]
>>>
>>> Hi Nadiya:
>>> I'll help you with this issue and will be in touch as soon as I have
>> an answer.
>>>
>>> Regards,
>>> Obaid Farooqi
>>> Escalation Engineer | Microsoft
>>>
>>> Exceeding your expectations is my highest priority. If you would
>> like
>>> to provide feedback on your case you may contact my manager at nkang
>>> at Microsoft dot com
>>>
>>> -----Original Message-----
>>> From: "Obaid Farooqi" <obaidf at microsoft.com<mailto:obaidf at microsoft.com>>
>>> Sent: Monday, October 27, 2014 10:03 AM
>>> To: "Nadezhda Ivanova" <nivanova at samba.org<mailto:nivanova at samba.org>>
>>> Cc: "cifs-protocol at samba.org<mailto:cifs-protocol at samba.org>" <cifs-protocol at samba.org<mailto:cifs-protocol at samba.org>>; "MSSolve
>> Case
>>> Email" <casemail at microsoft.com<mailto:casemail at microsoft.com>>
>>> Subject: [REG:114102711953179] Undelete operation security
>>> considerations [MS-ADTS] 3.1.1.5.3.7.1 [REG: 114102711953179]
>>>
>>> Hi Nadiya:
>>> Thanks for contacting Microsoft. I have created a case to track this
>> issue. A member of the open specifications team will be in touch soon.
>>
>>>
>>> Regards,
>>> Obaid Farooqi
>>> Escalation Engineer | Microsoft
>>>
>>> Exceeding your expectations is my highest priority. If you would
>> like
>>> to provide feedback on your case you may contact my manager at nkang
>>> at Microsoft dot com
>>>
>>> -----Original Message-----
>>> From: nivanova.samba at gmail.com<mailto:nivanova.samba at gmail.com> [mailto:nivanova.samba at gmail.com<mailto:nivanova.samba at gmail.com>] On
>>> Behalf Of Nadezhda Ivanova
>>> Sent: Monday, October 27, 2014 9:19 AM
>>> To: Interoperability Documentation Help
>>> Cc: cifs-protocol at samba.org<mailto:cifs-protocol at samba.org>
>>> Subject: Undelete operation security considerations [MS-ADTS]
>>> 3.1.1.5.3.7.1
>>>
>>> Dear Dochelp,
>>> I am currently trying to implement the proper access checking when
>> executing an undelete operation, and I have established that the
> access rights described in 3.1.1.5.3.7.1, when granted to a regular Domain User, are not enough to enable that user to perform an Undelete operation.
>
>>
>>>
>>> Some investigation showed that the user also needs List Children
>> permission on the Deleted Objects container, but I can't find this
> mentioned in ADTS, am I looking in the wrong place?
>
>>
>>>
>>> Also, could you please direct me to where the default security
>>> descriptor of a Deleted Objects container (say, after a fresh
>>>
>>> installation) is documented? It seems that it is a special case -
>> according to http://support.microsoft.com/kb/892806, inheritance is
> broken, and even Domain Admins are only allowed a very limited set of rights. I would appreciate some more specific information that the output of the tool,an example SD in SDDL format would be best.
>
>>
>>>
>>> Best Regards,
>>> Nadezhda Ivanova
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20141119/bf47c330/attachment-0001.html>
More information about the cifs-protocol
mailing list