[cifs-protocol] 116071214400981 MS-DRSR behaviour for ntSecurityDescriptor

Sreekanth Nadendla srenaden at microsoft.com
Tue Jul 12 13:55:40 UTC 2016 

Dochelp in Bcc
Casemail in Cc

Hello Andrew,
Thank you for your inquiry about Active Directory Specifications. We have created an incident #116071214400981 to investigate this issue. One of the Open specifications team member will contact you shortly.


Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, July 12, 2016 12:56 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at lists.samba.org; Garming Sam
Subject: MS-DRSR behaviour for ntSecurityDescriptor

When we run GetNCChanges from within Samba to a Windows 2008R2 DC, and we get a new user object, sometimes we don't get sent any ntSecurityDescriptor or name attribute for the user, despite getting all the other attributes, like objectClass, givenName, (empty) supplementalCredentials et al.

We have isolated the issue down to the GetNCChanges reply - it isn't an issue of Samba missing the SD, or there being 0 values etc, it just isn't listed in the attributes in struct drsuapi_DsReplicaAttributeCtr.

Can you please assist us to understand in what circumstances Windows might do this, and how we should interpret such a reply?

It may be the case that this happens only in large domains (eg 10,000 users), but we are yet to confirm that conclusively. 

We are wondering if we should somehow intuit the SD from the inheritance and objectclass rules, as some bandwidth-saving measure? 

However, as we also note that the parentGUID of the object is also NULL, and 'name' (0x90001) is not replicated either, we figure this is something more subtle.

Finally, to add to the level of difficulty, we have only seen this on QA systems at a customer so far. 

Thanks, 

Andrew Bartlett
--
Andrew Bartlett
https://na01.safelinks.protection.outlook.com/?url=https:%2f%2fsamba.org%2f~abartlet%2f&data=01%7C01%7Csrenaden%40microsoft.com%7Ca762a016ffdb492464dd08d3aa110894%7C72f988bf86f141af91ab2d7cd011db47%7C1&sdata=FgBcCTAzRZ1RJFfCVQZhmlQcc3Lgxbskv8TpmuYu%2faw%3d
Authentication Developer, Samba Team         https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fsamba.org&data=01%7c01%7csrenaden%40microsoft.com%7ca762a016ffdb492464dd08d3aa110894%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=v0567%2f0VFBXtjKfWeS7g8PwgvxDLHmOL3UDuPY2r3ec%3d
Samba Development and Support, Catalyst IT   
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fcatalyst.net.nz%2fservices%2fsamba&data=01%7c01%7csrenaden%40microsoft.com%7ca762a016ffdb492464dd08d3aa110894%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=BlHgrMxoyYPlFUYbRQJc7EM8FjTkOB3GgsRisiMzckU%3d

More information about the cifs-protocol mailing list