[cifs-protocol] [REG:116071214400981] 116071214400981 MS-DRSR behaviour for ntSecurityDescriptor
obaidf at microsoft.com
Wed Jul 13 19:14:04 UTC 2016
I will help you with this issue and will be in touch as soon as I have an answer.
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at ramagane at Microsoft dot com
From: "Sreekanth Nadendla" <srenaden at microsoft.com>
Sent: Tuesday, July 12, 2016 8:56 AM
To: "Andrew Bartlett" <abartlet at samba.org>
Cc: "cifs-protocol at lists.samba.org" <cifs-protocol at lists.samba.org>; "Garming Sam" <garming at catalyst.net.nz>; "MSSolve Case Email" <casemail at microsoft.com>
Subject: [REG:116071214400981] 116071214400981 MS-DRSR behaviour for ntSecurityDescriptor
Dochelp in Bcc
Casemail in Cc
Thank you for your inquiry about Active Directory Specifications. We have created an incident #116071214400981 to investigate this issue. One of the Open specifications team member will contact you shortly.
Microsoft Windows Open Specifications
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, July 12, 2016 12:56 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at lists.samba.org; Garming Sam
Subject: MS-DRSR behaviour for ntSecurityDescriptor
When we run GetNCChanges from within Samba to a Windows 2008R2 DC, and
we get a new user object, sometimes we don't get sent any
ntSecurityDescriptor or name attribute for the user, despite getting all
the other attributes, like objectClass, givenName, (empty)
supplementalCredentials et al.
We have isolated the issue down to the GetNCChanges reply - it isn't an
issue of Samba missing the SD, or there being 0 values etc, it just
isn't listed in the attributes in struct drsuapi_DsReplicaAttributeCtr.
Can you please assist us to understand in what circumstances Windows
might do this, and how we should interpret such a reply?
It may be the case that this happens only in large domains (eg 10,000
users), but we are yet to confirm that conclusively.
We are wondering if we should somehow intuit the SD from the
inheritance and objectclass rules, as some bandwidth-saving measure?
However, as we also note that the parentGUID of the object is also
NULL, and 'name' (0x90001) is not replicated either, we figure this is
something more subtle.
Finally, to add to the level of difficulty, we have only seen this on
QA systems at a customer so far.
Authentication Developer, Samba Team
Samba Development and Support, Catalyst IT
More information about the cifs-protocol