[cifs-protocol] [REG:117121117303710] Missing and duplicate rightGuid values for Extended Rights in MS-ADTS

Edgar Olougouna edgaro at microsoft.com
Tue Jan 2 17:59:51 UTC 2018


Andrew,
FYI, the MS-ADTS document update in the pipeline is to add some informative information about the displayName attribute.
Provisional update:
Section 1.2.2, Informative References, will add these two references.
"[MSDN-CAR] Microsoft Corporation, "Control Access Rights", https://msdn.microsoft.com/en-us/library/ms680945(v=vs.85).aspx"
"[MSDOCS-SchUpd] Microsoft Corporation, "Schema Updates", https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/schema-updates"
- - - - - - - - - - - - - - - - -
In Section 6.1.1.2.7.1, controlAccessRight objects, informative information about the displayName attribute will be added.
displayName: This is implementation-specific information for human consumption. Some of the values that are used by the Windows implementation can be found at [MSDN-CAR] and [MSDOCS-SchUpd].

Thanks,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Friday, December 22, 2017 1:17 AM
To: 'Andrew Bartlett' <abartlet at samba.org>; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email <casemail at microsoft.com>
Subject: RE: [REG:117121117303710] Missing and duplicate rightGuid values for Extended Rights in MS-ADTS

Andrew,
Upon review, it has been concluded that there should not be any need for an Active Directory protocols implementer to compile a complete list of specific displayName values from MS-ADTS. If there’s any MS-ADTS document update, it will only re-emphasize the fact that the displayName is implementation-specific information meant for human consumption, and as a result does not have any protocol significance.
The non-Windows implementation can and should simply replicate these when their DC is added to the existing Windows AD domain.  
We believe the replicated data from a Microsoft DC is sufficient. However, you can also get and use the data from the informative sources that you are already aware of. These are the following:
https://msdn.microsoft.com/en-us/library/ms680945(v=vs.85).aspx
and
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/schema-updates

Thanks,
Edgar

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, December 13, 2017 7:46 PM
To: Edgar Olougouna <edgaro at microsoft.com>; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email <casemail at microsoft.com>
Subject: Re: [REG:117121117303710] Missing and duplicate rightGuid values for Extended Rights in MS-ADTS

On Wed, 2017-12-13 at 22:38 +0000, Edgar Olougouna wrote:
> Andrew,
> Regarding this statement “RE: Some (for property sets) can be found in 
> other tables, but they should be listed under each right.”
> Can you help me find the section (s) where “some” DisplayName (s) are 
> documented? I have been combing through MS-ADTS. Are you referring to 
> “Control access right symbol” in the table in 5.1.3.2.1 Control Access 
> Rights?

No, I used 3.1.1.2.3.3 Property Set.

> Besides, I’d like to make sure we are on the same page and are having 
> the right conversation. What is the protocol relevance of DisplayName?
> Or are you suggesting that we consider including displayName for each 
> extended right?

At this point the latter, I'm suggesting the displayName should be included with each extended right. 

As the purpose of the objects is to provide strings to the user interface we are trying not to confuse users by having different visible names for the same permissions. 

Thanks,

Andrew Bartlett

> Thanks,
> Edgar
> 
> -----Original Message-----
> From: Edgar Olougouna
> Sent: Monday, December 11, 2017 3:55 PM
> To: Andrew Bartlett <abartlet at samba.org>; 
> cifs-protocol at lists.samba.org
> Cc: MSSolve Case Email <casemail at corp.microsoft.com>
> Subject: [REG:117121117303710] Missing and duplicate rightGuid values 
> for Extended Rights in MS-ADTS
> 
> [bcc dochelp, + cc casemail]
> Hello Andrew,
> We have created the case number 117121117303710 to track this inquiry. I will review this and follow-up with you as soon as I have an update.
> 
> Thanks,
> Edgar
> 
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Monday, December 11, 2017 2:51 PM
> To: cifs-protocol at lists.samba.org; Interoperability Documentation Help 
> <dochelp at microsoft.com>
> Subject: Missing and duplicate rightGuid values for Extended Rights in 
> MS-ADTS
> 
> As you know, I've been working to update our extended rights in Samba, and have been using the MS-ADTS document as the reference, combined with the adprep ldif from WindowsServerDocs (which is more complete).
> 
> Aside from the already-discussed missing localizationDisplayId and validAccesses, claimed as 'implementation specific', the other thing that is missing compared with the adprep LDIF, even from the template in 6.1.1.2.7.1 controlAccessRight objects, is the displayName.  Some (for property sets) can be found in other tables, but they should be listed under each right. 
> 
> Can the docs please be updated to include displayName?
> 
> Thanks,
> 
> Andrew Bartlett
> 
> 
> --
> Andrew Bartlett
> https://na01.safelinks.protection.outlook.com/?url=https:%2F%2Fsamba.org%2F~abartlet%2F&data=04%7C01%7Cdochelp%40windows.microsoft.com%7C07e31fc18ba34b0db42f08d540d8d474%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636486222390282071%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=ZDCDXF03YYmiwM09cYCxpBli69l7nVKkkPr0DxDETf0%3D&reserved=0
> Authentication Developer, Samba Team         https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org&data=04%7C01%7Cdochelp%40windows.microsoft.com%7C07e31fc18ba34b0db42f08d540d8d474%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636486222390282071%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=X67LhmVbz57eZrlReU50TVjyOlrcfIqH8QH4cKK8qJo%3D&reserved=0
> Samba Development and Support, Catalyst IT   
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatal
> yst.net.nz%2Fservices%2Fsamba&data=04%7C01%7Cdochelp%40windows.microso
> ft.com%7C07e31fc18ba34b0db42f08d540d8d474%7C72f988bf86f141af91ab2d7cd0
> 11db47%7C1%7C0%7C636486222390282071%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC
> 4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=MtWdPN59
> h1kB3b%2FTU1RE3QV98rBb%2BHiWp1oKFhgrbDk%3D&reserved=0
> 
> 
> 
> 
> 
--
Andrew Bartlett
https://na01.safelinks.protection.outlook.com/?url=https:%2F%2Fsamba.org%2F~abartlet%2F&data=04%7C01%7Cedgaro%40microsoft.com%7C48c1ea9fb73c441ce75d08d5429463ae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636488127450979074%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=4oDAWNBvmM%2FmTlC%2BMYiiT%2F4dkFTMgNOj1JbV%2F%2FD3JTA%3D&reserved=0
Authentication Developer, Samba Team         https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org&data=04%7C01%7Cedgaro%40microsoft.com%7C48c1ea9fb73c441ce75d08d5429463ae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636488127450979074%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=0T8UdALP7KTEZE%2B15SohjC9OGsAHlNf1szQgp9kQpc4%3D&reserved=0
Samba Development and Support, Catalyst IT   
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=04%7C01%7Cedgaro%40microsoft.com%7C48c1ea9fb73c441ce75d08d5429463ae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636488127450979074%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=Os3ICYNwxCAprHCNBZtLkyMcisq3Rpi54Mo0r4m0EEg%3D&reserved=0






More information about the cifs-protocol mailing list