[cifs-protocol] [REG:114112412079949] Re: Is MS-ADTS DL_DRSGetMemberships correct for workstation trust accounts?

Obaid Farooqi obaidf at microsoft.com
Fri Jan 9 13:22:52 MST 2015


Hi Andrew:
Your observation is right. For an RODC, both ADS_UF_WORKSTATION_TRUST_ACCOUNT and ADS_UF_PARTIAL_SECRETS_ACCOUNT flags should be set in userAccountControl attribute of Read-Only Domain Controller Object, as documented in MS-ADTS section "6.1.1.3.2 Read-Only Domain Controller Object" as follows:
userAccountControl: {ADS_UF_PARTIAL_SECRETS_ACCOUNT | ADS_UF_WORKSTATION_TRUST_ACCOUNT}

Therefore in the following test, the "or" should be "and" in MS-DRSR section "4.1.8.3 Server Behavior of the IDL_DRSGetMemberships Method"

if((u!userAccountControl & ADS_UF_WORKSTATION_TRUST_ACCOUNT =ADS_UF_WORKSTATION_TRUST_ACCOUNT) 
or (u!userAccountControl & ADS_UF_PARTIAL_SECRETS_ACCOUNT =ADS_UF_PARTIAL_SECRETS_ACCOUNT))
		wSet := wSet + GetDSNameOfEnterpriseRODCsGroup()
endif

I have filed a TDI to fix this issue against MS-DRSR.


Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: "Andrew Bartlett" <abartlet at samba.org> 
Sent: Tuesday, December 2, 2014 5:14 PM
To: "Obaid Farooqi" <obaidf at microsoft.com>
Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve Case Email" <casemail at microsoft.com>
Subject: [REG:114112412079949] Re: Is MS-ADTS DL_DRSGetMemberships correct for workstation trust accounts?

On Tue, 2014-12-02 at 23:06 +0000, Obaid Farooqi wrote: 
> Hi Andrew: 
> As per MS-DRSR, section "4.1.8.2.4 GetDSNameOfEnterpriseRODCsGroup",
the procedure GetDSNameOfEnterpriseRODCsGroup is going to return an object whose Sid is <domain SID>-498. This SID is for the group object CN=Enterprise Read-Only Domain Controllers.

> 
> So the following snippet in effect will add the DSName of the above
object to the  wSet if u object happens to be a workstation or an RODC.
The workstation object is not added to set.

> 
> if((u!userAccountControl & ADS_UF_WORKSTATION_TRUST_ACCOUNT
=ADS_UF_WORKSTATION_TRUST_ACCOUNT) or 
> (u!userAccountControl & ADS_UF_PARTIAL_SECRETS_ACCOUNT
=ADS_UF_PARTIAL_SECRETS_ACCOUNT)) 
>                                 wSet := wSet +
GetDSNameOfEnterpriseRODCsGroup() 
> endif
> 
> Please let me know if I did not understand your question correctly or
the above explanation does not answer your question.

I agree that is what it does, but is that what it should do, in the context?  Shouldn't we be adding this to the set only if we are an RODC, but not if we are a workstation?  

Andrew Bartlett 

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba 







More information about the cifs-protocol mailing list