[cifs-protocol] [REG:118111319335501] Linked attributes in AD claims objects sent as plain DNs
edgaro at microsoft.com
Wed Nov 21 07:08:03 UTC 2018
This is generic and not specific to a partition. pObjects is for updates to object name/attributes. There should be a one-to-one correspondence between remote attributes and meta data for those attributes. rgValues is for value changes. If the meta data shows a value change then that value should in the rgValues list. The sender can’t just send one or the other, it depends on what modification was made to the directory.
Here are some relevant references.
/* Process object updates. */
replEntinfList := msgReplyNative.pObjects^
. . .
if continueProcessing and (ulResult = 0) then
if (not ObjExists(replEntinfList.Entinf.pName^)) then
ulResult := AddObject(
ulResult := UpdateObject(
. . .
/* Process link value updates. */
linkValueCount := 0
while (ulResult = 0) and (linkValueCount < msgReplyNative.cNumValues)
ulResult := ProcessLinkValue(
From: Edgar Olougouna <edgaro at microsoft.com>
Sent: Monday, November 12, 2018 10:34 PM
To: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Cc: MSSolve Case Email <casemail at microsoft.com>; cifs-protocol at lists.samba.org
Subject: [REG:118111319335501] Linked attributes in AD claims objects sent as plain DNs
[case number in subject, cc casemail, bcc dochelp] Hello Aaron and Garming, Thank you for this question. We have created the protocol support case number 118111319335501 for this inquiry. One of our engineers will investigate and follow-up soon.
From: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Sent: Monday, November 12, 2018 9:28 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: Linked attributes in AD claims objects sent as plain DNs
In Windows 2012R2 active directory, objects related to claims in the configuration partition such as:
CN=Global Resource Property List,CN=Resource Property Lists,CN=Claims Configuration,CN=Services,CN=Configuration,DC=X
When sent over DRS replication, attributes such as "msDS-MembersOfResourcePropertyList" which are defined as linked attributes in the schema (linkID non-zero), should be returned in the "rgValues" field in the DRS_MSG_GETCHGREPLY_V6 defined in MS-DRSR:220.127.116.11.12, but are instead returned as normal object attributes in field "pObjects".
Samba relies on receiving linked attributes in the specified format, and our code's assumptions are broken by current Windows behaviour. We want to know:
1. Are these objects a special case during provision of a domain controller? Do further modifications change the format Windows returns, and are these changes persistent?
2. Are these objects a special case generally, throughout Active Directory functionality, and therefore need special handling?
3. If these require special handling, is the required behaviour documented somewhere? The behaviour has some similarity to Windows 2000-level linked attributes, but these objects were introduced in
Aaron H and Garming S
More information about the cifs-protocol