[cifs-protocol] MS-DRSR behaviour for ntSecurityDescriptor

Andrew Bartlett abartlet at samba.org
Tue Jul 12 04:56:01 UTC 2016

When we run GetNCChanges from within Samba to a Windows 2008R2 DC, and
we get a new user object, sometimes we don't get sent any
ntSecurityDescriptor or name attribute for the user, despite getting
all the other attributes, like objectClass, givenName, (empty)
supplementalCredentials et al.

We have isolated the issue down to the GetNCChanges reply - it isn't an
issue of Samba missing the SD, or there being 0 values etc, it just
isn't listed in the attributes in struct drsuapi_DsReplicaAttributeCtr.

Can you please assist us to understand in what circumstances Windows
might do this, and how we should interpret such a reply?

It may be the case that this happens only in large domains (eg 10,000
users), but we are yet to confirm that conclusively. 

We are wondering if we should somehow intuit the SD from the
inheritance and objectclass rules, as some bandwidth-saving measure? 

However, as we also note that the parentGUID of the object is also
NULL, and 'name' (0x90001) is not replicated either, we figure this is
something more subtle.

Finally, to add to the level of difficulty, we have only seen this on
QA systems at a customer so far. 


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the cifs-protocol mailing list