[cifs-protocol] [REG:114112412079949] Is MS-ADTS DL_DRSGetMemberships correct for workstation trust accounts?

Obaid Farooqi obaidf at microsoft.com
Tue Nov 25 22:10:56 MST 2014 

Hi Andrew:
I'll help you with this issue and would be in touch as soon as I have an answer.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: "Vilmos Foltenyi" <vilmosf at microsoft.com> 
Sent: Sunday, November 23, 2014 11:28 PM
To: "Andrew Bartlett" <abartlet at samba.org>
Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve Case Email" <casemail at microsoft.com>
Subject: [REG:114112412079949] Is MS-ADTS DL_DRSGetMemberships correct for workstation trust accounts?

[dochelp to Bcc, SR # to Subject] 

Hi Andrew, 

Thank you for your question. I created the case SR 114112412079949 to track this issue with the Protocol Documentation support team. An engineer from our team will contact you soon via e-mail to begin working with you.

Regards,
Vilmos Foltenyi - MSFT 

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Sunday, November 23, 2014 20:32
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: Is MS-ADTS DL_DRSGetMemberships correct for workstation trust accounts? 

In MS-ADTS 4.1.8.3 Server Behavior of the IDL_DRSGetMemberships Method 

It has this in the psudocode: 

if((u!userAccountControl & ADS_UF_WORKSTATION_TRUST_ACCOUNT =
ADS_UF_WORKSTATION_TRUST_ACCOUNT) or
(u!userAccountControl & ADS_UF_PARTIAL_SECRETS_ACCOUNT =
ADS_UF_PARTIAL_SECRETS_ACCOUNT))
wSet := wSet + GetDSNameOfEnterpriseRODCsGroup() endif 

I'm curious about the 'or' in the middle of the if statement.  Shoudn't it be an 'and', because you only want to put the object in the EnterpriseRODCs Group if it is both a workstation trust account, and a partial secrets account (otherwise, all workstations would be in it).

Thanks, 

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list