[cifs-protocol] Linked attributes in AD claims objects sent as plain DNs
Aaron Haslett
aaronhaslett at catalyst.net.nz
Tue Nov 13 03:28:22 UTC 2018
Hi,
In Windows 2012R2 active directory, objects related to claims in the
configuration partition such as:
CN=Global Resource Property List,CN=Resource Property Lists,CN=Claims
Configuration,CN=Services,CN=Configuration,DC=X
When sent over DRS replication, attributes such as
"msDS-MembersOfResourcePropertyList" which are defined as linked
attributes in the schema (linkID non-zero), should be returned in the
"rgValues" field in the DRS_MSG_GETCHGREPLY_V6 defined in
MS-DRSR:4.1.10.2.12, but are instead returned as normal object
attributes in field "pObjects".
Samba relies on receiving linked attributes in the specified format, and
our code's assumptions are broken by current Windows behaviour. We want
to know:
1. Are these objects a special case during provision of a domain
controller? Do further modifications change the format Windows returns,
and are these changes persistent?
2. Are these objects a special case generally, throughout Active
Directory functionality, and therefore need special handling?
3. If these require special handling, is the required behaviour
documented somewhere? The behaviour has some similarity to Windows
2000-level linked attributes, but these objects were introduced in
2012R2 specifically.
Thanks,
Aaron H and Garming S
More information about the cifs-protocol
mailing list