[cifs-protocol] [REG:117121117297259] Missing and duplicate rightGuid values for Extended Rights

Edgar Olougouna edgaro at microsoft.com
Fri Dec 22 07:14:52 UTC 2017 

Andrew,
[MS-ADTS] 3.1.1.2.3.3 is intended to only document property sets that are present in a default AD DS installation, meaning property sets that have a matching controlAccessRight object in the Extended-Rights container. 
The Guids you are asking about (a29b89fd-c7e8-11d0-9bae-00c04fd92ef5, a29b89fe-c7e8-11d0-9bae-00c04fd92ef5 and a29b8a01-c7e8-11d0-9bae-00c04fd92ef5) do not appear in in the table in [MS-ADTS] section 3.1.1.2.3.3 because they do not have matching controlAccessRight objects. Note that the system does not enforce that every attributeSecurityGuid value have a matching controlAccessRight object.    
Additionally, a search of our source code does not show any meaningful usage of these particular property set Guids (a29b89fd-c7e8-11d0-9bae-00c04fd92ef5, a29b89fe-c7e8-11d0-9bae-00c04fd92ef5 and a29b8a01-c7e8-11d0-9bae-00c04fd92ef5).	

Thanks,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Friday, December 15, 2017 3:05 PM
To: Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email <casemail at microsoft.com>
Subject: RE: [REG:117121117297259] Missing and duplicate rightGuid values for Extended Rights

Andrew,

I have spent some time investigating this further and have split this in two cases. Please expect another email thread to address the second portion of your request. Please read through for a status update on the first portion.

SR 117121517332882 [MS-ADTS] dNSHostName's schemaIdGuid used for attributeSecurityGuid or rightsGUID in other attributes
Verbatim:
72E39547-7B18-11D1-ADEF-00C04FD8D5CD is documented as a rightsGuid for DNS-Host-Name Attributes and for Validated-DNS-Host-Name.
Can you please shed some light on what is going on here?

I will use the current SR 117121117297259 to focus on [MS-ADTS]: 3.1.1.2.3.3 Missing attributeSecurityGuid values not defined for property sets

My investigation so far showed that the following three values of attributeSecurityGuid are not listed in the table of property sets in [MS-ADTS] 3.1.1.2.3.3 Property Set https://msdn.microsoft.com/en-us/library/cc223204.aspx

I have filed a document bug and will let you as soon as I have an update.

Guid-1:

[MS-ADA1]
domainWidePolicy has:
attributeSecurityGuid: a29b89fd-c7e8-11d0-9bae-00c04fd92ef5
eFSPolicy has:
attributeSecurityGuid: a29b89fd-c7e8-11d0-9bae-00c04fd92ef5
[MS-ADA3]
publicKeyPolicy has:
attributeSecurityGuid: a29b89fd-c7e8-11d0-9bae-00c04fd92ef5

Guid-2:

[MS-ADA1]
domainPolicyReference has
attributeSecurityGuid: a29b89fe-c7e8-11d0-9bae-00c04fd92ef5
[MS-ADA2]
machinePasswordChangeInterval has
attributeSecurityGuid: a29b89fe-c7e8-11d0-9bae-00c04fd92ef5

Guid-3:

[MS-ADA1]
localPolicyReference has
attributeSecurityGuid: a29b8a01-c7e8-11d0-9bae-00c04fd92ef5
[MS-ADA2]
machineWidePolicy has
attributeSecurityGuid: a29b8a01-c7e8-11d0-9bae-00c04fd92ef5
[MS-ADA3]
qualityOfService has
attributeSecurityGuid: a29b8a01-c7e8-11d0-9bae-00c04fd92ef5

Thanks,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Monday, December 11, 2017 10:01 AM
To: Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email <casemail at corp.microsoft.com>
Subject: RE: [REG:117121117297259] Missing and duplicate rightGuid values for Extended Rights

Hello Andrew,
I will investigate this and follow-up once I have an update.

Thanks,
Edgar

-----Original Message-----
From: Bryan Burgin 
Sent: Sunday, December 10, 2017 9:48 PM
To: Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email <casemail at corp.microsoft.com>
Subject: [REG:117121117297259] Missing and duplicate rightGuid values for Extended Rights

[dochelp to bcc]
[+casemail]

Hi Andrew,

Thank you for your question.  We created SR 117121117297259 to track this issue. An engineer from the protocols team will contact you soon.

Bryan

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Sunday, December 10, 2017 4:09 PM
To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
Subject: Missing and duplicate rightGuid values for Extended Rights

While working to re-construct the validAccesses value that is not provides in MS-ATDS explicitly, I've been using the references elsewhere in the docs and cross-referencing things.

This has shown up some puzzling things.  I noticed that these GUIDs 

domainWidePolicy has:
attributeSecurityGuid: a29b89fd-c7e8-11d0-9bae-00c04fd92ef5

domainPolicyReference has
attributeSecurityGuid: a29b89fe-c7e8-11d0-9bae-00c04fd92ef5

localPolicyReference has
attributeSecurityGuid: a29b8a01-c7e8-11d0-9bae-00c04fd92ef5

However these are not listed in 3.1.1.2.3.3 Property Set

Also, 72E39547-7B18-11D1-ADEF-00C04FD8D5CD is documented as a rightsGuid for DNS Host Name Attributes and for Validated-DNS-Host- Name.

Can you please shed some light on what is going on here?


Thanks,

Andrew Bartlett


--
Andrew Bartlett
https://na01.safelinks.protection.outlook.com/?url=https:%2F%2Fsamba.org%2F~abartlet%2F&data=04%7C01%7Cdochelp%40windows.microsoft.com%7C7b016232190e47715e5308d5402b6c6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636485477621680836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=vmSag1YR50ixX5Wspi1tixMKNzYuepYd6vRSc7%2F44o4%3D&reserved=0
Authentication Developer, Samba Team         https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org&data=04%7C01%7Cdochelp%40windows.microsoft.com%7C7b016232190e47715e5308d5402b6c6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636485477621680836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=ZLQ9k3l8SdO%2Be9EWGa6KVqFKEv2hUdrftS7BZ87VqPc%3D&reserved=0
Samba Development and Support, Catalyst IT   
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=04%7C01%7Cdochelp%40windows.microsoft.com%7C7b016232190e47715e5308d5402b6c6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636485477621680836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=8IlllTcWecwvClCKBN1TsX09nU9fwT%2BVOyfBEyfvkww%3D&reserved=0

More information about the cifs-protocol mailing list