[cifs-protocol] Extended rights as LDIF, 117112017192160

Garming Sam garming at catalyst.net.nz
Fri Dec 8 02:10:00 UTC 2017


Hi Edgar,

I've been looking at the usage of validAccesses a bit further and I
found some statements in MS-ADTS which mention its protocol relevance.
In particular I notice that there is a statement mentioning what values
it must have in the case for control access rights.

[MS-ADTS] 5.1.3.2.1 Control Access Rights

https://msdn.microsoft.com/en-us/library/cc223512.aspx

"validAccesses: The type of access right bits in the ACCESS_MASK field
of an ACE with which the control access right can be associated. The
only permitted access right for control access rights is
RIGHT_DS_CONTROL_ACCESS (CR)."

It appears that section 5.1.3 contains some of the information we were
seeking in regards to this attribute (and how the set of rights are
divided into the different classes). There also appears to be another
section on property sets which mentions which are under this category.
However the corresponding validAccesses value required for these rights
appears to only be mentioned in a non-normative document:

https://msdn.microsoft.com/en-us/library/ms675747(v=vs.85).aspx

Given the disparate set of information, it would be useful to have
validAccesses documented for each extended-right collected with the
other attributes given in 6.1.1.2.7 Extended Rights, and the reference
in 6.1.1.2.7.1 controlAccessRight objects removed which asserts that the
information is implementation specific. While a full set of published
ldif would be most helpful, getting the existing information collated
would be a definite improvement.


Cheers,

Garming

On 05/12/17 06:58, Edgar Olougouna wrote:
> Andrew, Garming,
> After review, I conferred with the AD product group and confirmed the following. We do not believe there is a protocol significance for the validAccesses on Extended Rights. To the best of our knowledge, our AD protocols do not depend on it for protocol operations. This defines the use of the control access right for the administrative tools, which are implementation-specific. 
>
> Please provide a concrete and detailed example where it was not possible to create a directory object that impacts protocol interop, and we will be happy to evaluate. Otherwise, I consider this question as closed on my side.
> The LocalizationDisplayId you referred to is defined in MS-ADA1 (2.365 Attribute localizationDisplayId https://msdn.microsoft.com/en-us/library/cc220067.aspx). This is used to index UI resources file for UI purposes.
> and MS-ADTS also specifies 
> localizationDisplayId: This is implementation-specific information for the administrative application.
> validAccesses: This is implementation-specific information for the administrative application.
>
> Thanks,
> Edgar
>
> -----Original Message-----
> From: Edgar Olougouna 
> Sent: Monday, November 20, 2017 4:30 PM
> To: Garming Sam <garming at catalyst.net.nz>; Andrew Bartlett <abartlet at samba.org>
> Cc: cifs-protocol at lists.samba.org; MSSolve Case Email <casemail at microsoft.com>
> Subject: RE: [cifs-protocol] Extended rights as LDIF, 117112017192160
>
> Thanks Andrew and Garming. I will look into this and follow-up. 
>
> Cheers,
> Edgar
>
> -----Original Message-----
> From: Nathan Manis
> Sent: Monday, November 20, 2017 4:23 PM
> To: Garming Sam <garming at catalyst.net.nz>; Edgar Olougouna <edgaro at microsoft.com>; Andrew Bartlett <abartlet at samba.org>
> Cc: cifs-protocol at lists.samba.org; MSSolve Case Email <casemail at microsoft.com>
> Subject: RE: [cifs-protocol] Extended rights as LDIF, 117112017192160
>
> Hi Garming, Hi Andrew,
>
> Thank you for contacting the dochelp alias for assistance.  If you do need assistance with protocols specifications, feel free to write our dochelp at microsoft.com alias and one of our engineers will be able to assist.   We ask to write the alias in case the engineer you write directly is out of the office or not available.   For the inquiry below, we have created a case to review and respond. 
>
>
> The case number is  117112017192160.
>
>    
> Thanks again,
> Nathan
>
> -----Original Message-----
> From: Garming Sam [mailto:garming at catalyst.net.nz]
> Sent: Monday, November 20, 2017 5:00 PM
> To: Edgar Olougouna <edgaro at microsoft.com>; Andrew Bartlett <abartlet at samba.org>; Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: cifs-protocol at lists.samba.org
> Subject: Re: [cifs-protocol] Extended rights as LDIF
>
> Just wanted to add that the omitted validAccesses attribute (on these extended rights) is probably more significant because it implies different access control behavior. The information it stores seems to be more than for use in the administrative tools.
>
>
> Cheers,
>
> Garming
>
>
> On 21/11/17 10:42, Edgar Olougouna via cifs-protocol wrote:
>> + dochelp. Shift Lead, please assign me a new case for this inquiry.
>> Thanks,
>> Edgar
>>
>> -----Original Message-----
>> From: Andrew Bartlett [mailto:abartlet at samba.org]
>> Sent: Monday, November 20, 2017 3:35 PM
>> To: Edgar Olougouna <edgaro at microsoft.com>
>> Cc: cifs-protocol at lists.samba.org
>> Subject: Extended rights as LDIF
>>
>> G'Day Edgar,
>>
>> I'm working with Garming to have Samba use more modern schema, and we 
>> are using the downloads from 
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.m
>> icrosoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D23782&data=02%7C
>> 01%7Cedgaro%40microsoft.com%7C9f63dc38527146fd2d2d08d5305e8b80%7C72f98
>> 8bf86f141af91ab2d7cd011db47%7C1%7C0%7C636468104979500849&sdata=vRkXquP
>> 84K0Jl8ltrEvT2zUXU7xYX%2BN0E8qhkVss%2F7I%3D&reserved=0
>>
>> However, the schema depends on extended rights, which are defined eg
>> here:
>>
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.
>> microsoft.com%2Fen-us%2Flibrary%2Fms684293(v%3Dvs.85).aspx&data=02%7C0
>> 1%7Cedgaro%40microsoft.com%7C9f63dc38527146fd2d2d08d5305e8b80%7C72f988
>> bf86f141af91ab2d7cd011db47%7C1%7C0%7C636468104979500849&sdata=SxTUGaBv
>> mxyeXMFKrSybhrYDUD9u9EMX%2F6U9VODYAwg%3D&reserved=0
>>
>> and in MS-ADTS here:
>>
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.
>> microsoft.com%2Fen-us%2Flibrary%2Fcc223512.aspx&data=02%7C01%7Cedgaro%
>> 40microsoft.com%7C9f63dc38527146fd2d2d08d5305e8b80%7C72f988bf86f141af9
>> 1ab2d7cd011db47%7C1%7C0%7C636468104979500849&sdata=bPgfxQkjhf4BctAIaSi
>> fpamAisTcE57D28A7VO6iQqY%3D&reserved=0
>>
>> However, the MS-ADTS docs don't contain the information needed to 
>> create the object, like the Localization-Display-ID.  (We gain the 
>> appliesTo if we look at eg 
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.
>> microsoft.com%2Fen-us%2Flibrary%2Fcc223602.aspx&data=02%7C01%7Cedgaro%
>> 40microsoft.com%7C9f63dc38527146fd2d2d08d5305e8b80%7C72f988bf86f141af9
>> 1ab2d7cd011db47%7C1%7C0%7C636468104979500849&sdata=ryPf1GQqTXRbGP%2Bg1
>> Cs%2Be9wMAI%2FYyFMucwJTLnAChyc%3D&reserved=0 )
>>
>> There also isn't any more detail in:
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblogs
>> .msdn.microsoft.com%2Fopenspecification%2F2009%2F08%2F19%2Factive-dire
>> ctory-technical-specification-control-access-rights-concordance%2F&dat
>> a=02%7C01%7Cedgaro%40microsoft.com%7C9f63dc38527146fd2d2d08d5305e8b80%
>> 7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636468104979500849&sdata=
>> mdZSEvO%2B6aWIztOZAm08J1hP6uoJ1YxjtS8%2FSNrmxzU%3D&reserved=0
>>
>> Could the download we mention above be extended/supplemented with an LDIF of the matching Extended Rights, or is it already available somewhere we haven't found yet?
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett
>> https://na01.safelinks.protection.outlook.com/?url=https:%2F%2Fsamba.org%2F~abartlet%2F&data=02%7C01%7Cedgaro%40microsoft.com%7C9f63dc38527146fd2d2d08d5305e8b80%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636468104979500849&sdata=t3Pme9kkGK4HN1%2FCuBFaWGP3iCYUMx4aWSruiUSvf50%3D&reserved=0
>> Authentication Developer, Samba Team         https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org&data=02%7C01%7Cedgaro%40microsoft.com%7C9f63dc38527146fd2d2d08d5305e8b80%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636468104979500849&sdata=mGjMebWDBJ7blegxft3JhM4nyfxUIYA3t7QLoIvxRo4%3D&reserved=0
>> Samba Development and Support, Catalyst IT   
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatal
>> yst.net.nz%2Fservices%2Fsamba&data=02%7C01%7Cedgaro%40microsoft.com%7C
>> 9f63dc38527146fd2d2d08d5305e8b80%7C72f988bf86f141af91ab2d7cd011db47%7C
>> 1%7C0%7C636468104979500849&sdata=3b4CDxFVonzIqQJibIQN9nNmJvRuAQszv3%2B
>> IQVQvbuE%3D&reserved=0
>>
>>
>>
>>
>> _______________________________________________
>> cifs-protocol mailing list
>> cifs-protocol at lists.samba.org
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists
>> .samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=02%7C01%7Cdochelp
>> %40windows.microsoft.com%7C2ba0fa0d03a8480ce11408d5306208cf%7C72f988bf
>> 86f141af91ab2d7cd011db47%7C1%7C0%7C636468119986802237&sdata=ep4QcFZGfy
>> Br1tNxeTqy4te4LD7f6Ti%2F2Y4JA647l84%3D&reserved=0




More information about the cifs-protocol mailing list