[cifs-protocol] Extended rights as LDIF, 117112017192160

Edgar Olougouna edgaro at microsoft.com
Tue Jan 2 22:46:30 UTC 2018 

Thank you again for providing this feedback and suggestion. Upon review, it has been concluded that the attribute values you have inquired about (localizationDisplayId, validAccesses, and displayName) do not have any protocol significance. These things are not required for correct protocol interoperability or protocol processing, and as such are not required to be normatively defined.  
In short, this implementation-specific information pertains to Windows-based administrative tools and is not protocol relevant. You can find some of the values used on Windows platform in various informative sources available online. 

Thanks,
Edgar

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Wednesday, December 13, 2017 7:54 PM
To: Edgar Olougouna <edgaro at microsoft.com>; Garming Sam <garming at catalyst.net.nz>
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email <casemail at microsoft.com>
Subject: Re: [cifs-protocol] Extended rights as LDIF, 117112017192160

On Wed, 2017-12-13 at 22:35 +0000, Edgar Olougouna wrote:
> Andrew,
> Thank you for the feedback. I have passed on your suggestion to the AD product group and the concerned people will review it.
> FYI, I noticed your LDF did not include the following. Just passing along. This is not to guarantee or to give any hint in one way or another of anything about a review outcome. 
> dn: CN=DS-Validated-Write-Computer,CN=Extended-Rights,${CONFIGDN}
> changetype: ntdsSchemaAdd
> objectClass: controlAccessRight
> displayName: Validated write to computer attributes.
> rightsGuid: 9b026da6-0d3c-465c-8bee-5199d7165cba
> appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
> ShowInAdvancedViewOnly: TRUE
> validAccesses: 8

Thanks!  You are correct, I should have mentioned that we are aligning with 2012 in that particular LDIF (DS-Validated-Write-Computer is in the 2016 adprep).

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fwindowsserverdocs%2Fblob%2Fmaster%2FWindowsS&data=04%7C01%7Cedgaro%40microsoft.com%7Cd1fdf0b751164af5889908d542958023%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636488132233308088%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=22BjFplKMhurjMQesoVjiGxvd7I7hS%2FKW1Fmrji7JxI%3D&reserved=0
erverDocs/identity/ad-ds/deploy/Schema-Updates.md#sch81ldf

I do notice that the infamous localizationDisplayId is omitted in this newest right. 

Thanks,

Andrew Bartlett

> Thanks,
> Edgar
> 
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Sunday, December 10, 2017 10:14 PM
> To: Garming Sam <garming at catalyst.net.nz>; Edgar Olougouna 
> <edgaro at microsoft.com>
> Cc: cifs-protocol at lists.samba.org; MSSolve Case Email 
> <casemail at corp.microsoft.com>
> Subject: Re: [cifs-protocol] Extended rights as LDIF, 117112017192160
> 
> On Fri, 2017-12-08 at 15:10 +1300, Garming Sam wrote:
> > Hi Edgar,
> > 
> > I've been looking at the usage of validAccesses a bit further and I 
> > found some statements in MS-ADTS which mention its protocol relevance.
> > In particular I notice that there is a statement mentioning what 
> > values it must have in the case for control access rights.
> > 
> > [MS-ADTS] 5.1.3.2.1 Control Access Rights
> > 
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.
> > microsoft.com%2Fen-us%2Flibrary%2Fcc223512.aspx&data=04%7C01%7Cedgar
> > o%
> > 40microsoft.com%7C0c9ed40a3c0044ff674908d5404dad01%7C72f988bf86f141a
> > f9 
> > 1ab2d7cd011db47%7C1%7C0%7C636485624717963137%7CUnknown%7CTWFpbGZsb3d
> > 8e 
> > yJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sda
> > ta
> > =s4rYHpQ1rNbyFq0%2FAoHiWKb4JJF3i%2Bz4TF1ElIJ7KEU%3D&reserved=0
> > 
> > "validAccesses: The type of access right bits in the ACCESS_MASK 
> > field of an ACE with which the control access right can be 
> > associated. The only permitted access right for control access 
> > rights is RIGHT_DS_CONTROL_ACCESS (CR)."
> > 
> > It appears that section 5.1.3 contains some of the information we 
> > were seeking in regards to this attribute (and how the set of rights 
> > are divided into the different classes). There also appears to be 
> > another section on property sets which mentions which are under this category.
> > However the corresponding validAccesses value required for these 
> > rights appears to only be mentioned in a non-normative document:
> > 
> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.
> > microsoft.com%2Fen-us%2Flibrary%2Fms675747(v%3Dvs.85).aspx&data=04%7
> > C0
> > 1%7Cedgaro%40microsoft.com%7C0c9ed40a3c0044ff674908d5404dad01%7C72f9
> > 88 
> > bf86f141af91ab2d7cd011db47%7C1%7C0%7C636485624717963137%7CUnknown%7C
> > TW 
> > FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%
> > 3D 
> > %7C-1&sdata=h4VcKRjUe0t%2BpnK%2BvSLkt8jYMDBDNjilZZ3rlVHgERA%3D&reser
> > ve
> > d=0
> > 
> > Given the disparate set of information, it would be useful to have 
> > validAccesses documented for each extended-right collected with the 
> > other attributes given in 6.1.1.2.7 Extended Rights, and the 
> > reference in 6.1.1.2.7.1 controlAccessRight objects removed which 
> > asserts that the information is implementation specific. While a 
> > full set of published ldif would be most helpful, getting the 
> > existing information collated would be a definite improvement.
> > 
> 
> G'Day Edgar,
> 
> Given the various bits of info above and in the public
> WindowsServerDocs github repo, we have constructed the attached.   It
> isn't perfect, but it shows that this is actually essentially covered in the docs.  
> 
> You mentioned on or last call that you are happy to take suggestions 
> for improving the docs, and this is certainly an area we would like improved.  That is, we would like to have something like this file provided, just as the Display Specifiers and Schema have been provided, as LDIF.
> 
> (As I'm sure you know for full interoperability our standard is that 
> we need to be able to have the full set of matching objects.)
> 
> Otherwise, would it be possible to add a reference, informative or normative to resources like:
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechn
> et.microsoft.com%2Flibrary%2Fdd378876.aspx&data=04%7C01%7Cedgaro%40mic
> rosoft.com%7C0c9ed40a3c0044ff674908d5404dad01%7C72f988bf86f141af91ab2d
> 7cd011db47%7C1%7C0%7C636485624717963137%7CUnknown%7CTWFpbGZsb3d8eyJWIj
> oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=FVxP
> JBZbWZMjaFlpvl6nQS3afZA8aSRbruCOiDA33BI%3D&reserved=0
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechn
> et.microsoft.com%2Fen-us%2Flibrary%2Fcc730930(v%3Dws.10).aspx&data=04%
> 7C01%7Cedgaro%40microsoft.com%7C0c9ed40a3c0044ff674908d5404dad01%7C72f
> 988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636485624717963137%7CUnknown%7
> CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D
> %3D%7C-1&sdata=C2Fc408N1f8LGwU%2FRJ%2BJ2ZhewlC9%2BmoAKX29F8c7%2F84%3D&
> reserved=0
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechn
> et.microsoft.com%2Fen-us%2Flibrary%2Fdd378828(v%3Dws.10).aspx&data=04%
> 7C01%7Cedgaro%40microsoft.com%7C0c9ed40a3c0044ff674908d5404dad01%7C72f
> 988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636485624717963137%7CUnknown%7
> CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D
> %3D%7C-1&sdata=ArBJGLvEkPdR2BgLXkxI3NlJeB%2BUTgM7CwhMmMMdFto%3D&reserv
> ed=0
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.
> microsoft.com%2Fen-us%2Flibrary%2Fms683985(v%3Dvs.85).aspx&data=04%7C0
> 1%7Cedgaro%40microsoft.com%7C0c9ed40a3c0044ff674908d5404dad01%7C72f988
> bf86f141af91ab2d7cd011db47%7C1%7C0%7C636485624717963137%7CUnknown%7CTW
> FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D
> %7C-1&sdata=eh0kFuctCjR8a10gYg%2FoY7vZh6FXsXMMpmxvFKT4QfU%3D&reserved=
> 0
> 
> That would allow this existing content to be captured under the license for our use, which would be very helpful.
> 
> Thanks! 
> 
> Andrew Bartlett
> 
> 
> --
> Andrew Bartlett
> https://na01.safelinks.protection.outlook.com/?url=https:%2F%2Fsamba.org%2F~abartlet%2F&data=04%7C01%7Cedgaro%40microsoft.com%7C0c9ed40a3c0044ff674908d5404dad01%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636485624717963137%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=LZu3Y58vHJMFywyHiqZU8T3LuehLCajGzx8zI2nJkPw%3D&reserved=0
> Authentication Developer, Samba Team         https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org&data=04%7C01%7Cedgaro%40microsoft.com%7C0c9ed40a3c0044ff674908d5404dad01%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636485624717963137%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=ElpX3eBcUUKVJitYZgTzuCz3%2BY5Mo4s8AHW%2BCP%2FzHDU%3D&reserved=0
> Samba Development and Support, Catalyst IT   
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatal
> yst.net.nz%2Fservices%2Fsamba&data=04%7C01%7Cedgaro%40microsoft.com%7C
> 0c9ed40a3c0044ff674908d5404dad01%7C72f988bf86f141af91ab2d7cd011db47%7C
> 1%7C0%7C636485624717963137%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDA
> iLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=B3noqVwgTgaEtBICS
> ckDjfjDRku54hPnsf9THXOH5dQ%3D&reserved=0
> 
> 
> 
--
Andrew Bartlett
https://na01.safelinks.protection.outlook.com/?url=https:%2F%2Fsamba.org%2F~abartlet%2F&data=04%7C01%7Cedgaro%40microsoft.com%7Cd1fdf0b751164af5889908d542958023%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636488132233308088%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=0GDu6z%2FmIk9lt9X8UT3946GrN3TbRx7EIrqt61jHnc8%3D&reserved=0
Authentication Developer, Samba Team         https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org&data=04%7C01%7Cedgaro%40microsoft.com%7Cd1fdf0b751164af5889908d542958023%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636488132233308088%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=2N2Hf30aPGg5RP2FdB8%2BY7LJJaGpUdaqt2R04qOWxW4%3D&reserved=0
Samba Development and Support, Catalyst IT   
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=04%7C01%7Cedgaro%40microsoft.com%7Cd1fdf0b751164af5889908d542958023%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636488132233464335%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=CLQe7b55DFCQSQzVn5ZN6nK%2FDJ1hNJBX5Djuj0lA%2FzY%3D&reserved=0

More information about the cifs-protocol mailing list