[cifs-protocol] [REG:116071214400981] 116071214400981 MS-DRSR behaviour for ntSecurityDescriptor

Obaid Farooqi obaidf at microsoft.com
Wed Jul 13 19:14:04 UTC 2016

Hi Andrew:
I will help you with this issue and will be in touch as soon as I have an answer.

Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at ramagane at Microsoft dot com

-----Original Message-----
From: "Sreekanth Nadendla" <srenaden at microsoft.com> 
Sent: Tuesday, July 12, 2016 8:56 AM
To: "Andrew Bartlett" <abartlet at samba.org>
Cc: "cifs-protocol at lists.samba.org" <cifs-protocol at lists.samba.org>; "Garming Sam" <garming at catalyst.net.nz>; "MSSolve Case Email" <casemail at microsoft.com>
Subject: [REG:116071214400981] 116071214400981 MS-DRSR behaviour for ntSecurityDescriptor

Dochelp in Bcc
Casemail in Cc 

Hello Andrew,
Thank you for your inquiry about Active Directory Specifications. We have created an incident #116071214400981 to investigate this issue. One of the Open specifications team member will contact you shortly.

Sreekanth Nadendla 
Microsoft Windows Open Specifications 

-----Original Message----- 
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, July 12, 2016 12:56 AM 
To: Interoperability Documentation Help 
Cc: cifs-protocol at lists.samba.org; Garming Sam 
Subject: MS-DRSR behaviour for ntSecurityDescriptor 

When we run GetNCChanges from within Samba to a Windows 2008R2 DC, and
we get a new user object, sometimes we don't get sent any
ntSecurityDescriptor or name attribute for the user, despite getting all
the other attributes, like objectClass, givenName, (empty)
supplementalCredentials et al.

We have isolated the issue down to the GetNCChanges reply - it isn't an
issue of Samba missing the SD, or there being 0 values etc, it just
isn't listed in the attributes in struct drsuapi_DsReplicaAttributeCtr.

Can you please assist us to understand in what circumstances Windows
might do this, and how we should interpret such a reply?

It may be the case that this happens only in large domains (eg 10,000
users), but we are yet to confirm that conclusively.

We are wondering if we should somehow intuit the SD from the
inheritance and objectclass rules, as some bandwidth-saving measure?

However, as we also note that the parentGUID of the object is also
NULL, and 'name' (0x90001) is not replicated either, we figure this is
something more subtle.

Finally, to add to the level of difficulty, we have only seen this on
QA systems at a customer so far. 


Andrew Bartlett 
Andrew Bartlett 

Authentication Developer, Samba Team

Samba Development and Support, Catalyst IT 

More information about the cifs-protocol mailing list