[cifs-protocol] Extended rights as LDIF, 117112017192160

Edgar Olougouna edgaro at microsoft.com
Mon Dec 4 17:58:00 UTC 2017

Andrew, Garming,
After review, I conferred with the AD product group and confirmed the following. We do not believe there is a protocol significance for the validAccesses on Extended Rights. To the best of our knowledge, our AD protocols do not depend on it for protocol operations. This defines the use of the control access right for the administrative tools, which are implementation-specific. 

Please provide a concrete and detailed example where it was not possible to create a directory object that impacts protocol interop, and we will be happy to evaluate. Otherwise, I consider this question as closed on my side.
The LocalizationDisplayId you referred to is defined in MS-ADA1 (2.365 Attribute localizationDisplayId https://msdn.microsoft.com/en-us/library/cc220067.aspx). This is used to index UI resources file for UI purposes.
and MS-ADTS also specifies 
localizationDisplayId: This is implementation-specific information for the administrative application.
validAccesses: This is implementation-specific information for the administrative application.


-----Original Message-----
From: Edgar Olougouna 
Sent: Monday, November 20, 2017 4:30 PM
To: Garming Sam <garming at catalyst.net.nz>; Andrew Bartlett <abartlet at samba.org>
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email <casemail at microsoft.com>
Subject: RE: [cifs-protocol] Extended rights as LDIF, 117112017192160

Thanks Andrew and Garming. I will look into this and follow-up. 


-----Original Message-----
From: Nathan Manis
Sent: Monday, November 20, 2017 4:23 PM
To: Garming Sam <garming at catalyst.net.nz>; Edgar Olougouna <edgaro at microsoft.com>; Andrew Bartlett <abartlet at samba.org>
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email <casemail at microsoft.com>
Subject: RE: [cifs-protocol] Extended rights as LDIF, 117112017192160

Hi Garming, Hi Andrew,

Thank you for contacting the dochelp alias for assistance.  If you do need assistance with protocols specifications, feel free to write our dochelp at microsoft.com alias and one of our engineers will be able to assist.   We ask to write the alias in case the engineer you write directly is out of the office or not available.   For the inquiry below, we have created a case to review and respond. 

The case number is  117112017192160.

Thanks again,

-----Original Message-----
From: Garming Sam [mailto:garming at catalyst.net.nz]
Sent: Monday, November 20, 2017 5:00 PM
To: Edgar Olougouna <edgaro at microsoft.com>; Andrew Bartlett <abartlet at samba.org>; Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: Re: [cifs-protocol] Extended rights as LDIF

Just wanted to add that the omitted validAccesses attribute (on these extended rights) is probably more significant because it implies different access control behavior. The information it stores seems to be more than for use in the administrative tools.



On 21/11/17 10:42, Edgar Olougouna via cifs-protocol wrote:
> + dochelp. Shift Lead, please assign me a new case for this inquiry.
> Thanks,
> Edgar
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Monday, November 20, 2017 3:35 PM
> To: Edgar Olougouna <edgaro at microsoft.com>
> Cc: cifs-protocol at lists.samba.org
> Subject: Extended rights as LDIF
> G'Day Edgar,
> I'm working with Garming to have Samba use more modern schema, and we 
> are using the downloads from 
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.m
> icrosoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D23782&data=02%7C
> 01%7Cedgaro%40microsoft.com%7C9f63dc38527146fd2d2d08d5305e8b80%7C72f98
> 8bf86f141af91ab2d7cd011db47%7C1%7C0%7C636468104979500849&sdata=vRkXquP
> 84K0Jl8ltrEvT2zUXU7xYX%2BN0E8qhkVss%2F7I%3D&reserved=0
> However, the schema depends on extended rights, which are defined eg
> here:
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.
> microsoft.com%2Fen-us%2Flibrary%2Fms684293(v%3Dvs.85).aspx&data=02%7C0
> 1%7Cedgaro%40microsoft.com%7C9f63dc38527146fd2d2d08d5305e8b80%7C72f988
> bf86f141af91ab2d7cd011db47%7C1%7C0%7C636468104979500849&sdata=SxTUGaBv
> mxyeXMFKrSybhrYDUD9u9EMX%2F6U9VODYAwg%3D&reserved=0
> and in MS-ADTS here:
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.
> microsoft.com%2Fen-us%2Flibrary%2Fcc223512.aspx&data=02%7C01%7Cedgaro%
> 40microsoft.com%7C9f63dc38527146fd2d2d08d5305e8b80%7C72f988bf86f141af9
> 1ab2d7cd011db47%7C1%7C0%7C636468104979500849&sdata=bPgfxQkjhf4BctAIaSi
> fpamAisTcE57D28A7VO6iQqY%3D&reserved=0
> However, the MS-ADTS docs don't contain the information needed to 
> create the object, like the Localization-Display-ID.  (We gain the 
> appliesTo if we look at eg 
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.
> microsoft.com%2Fen-us%2Flibrary%2Fcc223602.aspx&data=02%7C01%7Cedgaro%
> 40microsoft.com%7C9f63dc38527146fd2d2d08d5305e8b80%7C72f988bf86f141af9
> 1ab2d7cd011db47%7C1%7C0%7C636468104979500849&sdata=ryPf1GQqTXRbGP%2Bg1
> Cs%2Be9wMAI%2FYyFMucwJTLnAChyc%3D&reserved=0 )
> There also isn't any more detail in:
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblogs
> .msdn.microsoft.com%2Fopenspecification%2F2009%2F08%2F19%2Factive-dire
> ctory-technical-specification-control-access-rights-concordance%2F&dat
> a=02%7C01%7Cedgaro%40microsoft.com%7C9f63dc38527146fd2d2d08d5305e8b80%
> 7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636468104979500849&sdata=
> mdZSEvO%2B6aWIztOZAm08J1hP6uoJ1YxjtS8%2FSNrmxzU%3D&reserved=0
> Could the download we mention above be extended/supplemented with an LDIF of the matching Extended Rights, or is it already available somewhere we haven't found yet?
> Thanks,
> Andrew Bartlett
> --
> Andrew Bartlett
> https://na01.safelinks.protection.outlook.com/?url=https:%2F%2Fsamba.org%2F~abartlet%2F&data=02%7C01%7Cedgaro%40microsoft.com%7C9f63dc38527146fd2d2d08d5305e8b80%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636468104979500849&sdata=t3Pme9kkGK4HN1%2FCuBFaWGP3iCYUMx4aWSruiUSvf50%3D&reserved=0
> Authentication Developer, Samba Team         https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org&data=02%7C01%7Cedgaro%40microsoft.com%7C9f63dc38527146fd2d2d08d5305e8b80%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636468104979500849&sdata=mGjMebWDBJ7blegxft3JhM4nyfxUIYA3t7QLoIvxRo4%3D&reserved=0
> Samba Development and Support, Catalyst IT   
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatal
> yst.net.nz%2Fservices%2Fsamba&data=02%7C01%7Cedgaro%40microsoft.com%7C
> 9f63dc38527146fd2d2d08d5305e8b80%7C72f988bf86f141af91ab2d7cd011db47%7C
> 1%7C0%7C636468104979500849&sdata=3b4CDxFVonzIqQJibIQN9nNmJvRuAQszv3%2B
> IQVQvbuE%3D&reserved=0
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at lists.samba.org
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists
> .samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=02%7C01%7Cdochelp
> %40windows.microsoft.com%7C2ba0fa0d03a8480ce11408d5306208cf%7C72f988bf
> 86f141af91ab2d7cd011db47%7C1%7C0%7C636468119986802237&sdata=ep4QcFZGfy
> Br1tNxeTqy4te4LD7f6Ti%2F2Y4JA647l84%3D&reserved=0

More information about the cifs-protocol mailing list