[cifs-protocol] [REG:119072421000317] MS-DRSR drsuapi IDL_DRSAddEntry AttrBlock order for nTDSDSA object?

Edgar Olougouna edgaro at microsoft.com
Tue Aug 6 19:22:04 UTC 2019 

We will update the document to make it clear that msDS-HasMasterNCs should come before HasMasterNCs, or an ERROR_DS_NO_CROSSREF_FOR_NC will be generated.
We will document this requirement in MS-DRSR.

We plan to add a requirement in 4.1.1.2.3 CreateNtdsDsa to check if it receives the list of attributes in correct order:
correctOrder := DoAttributesSatisfyPreCheckForCreateNtdsDsa (entList)
if not correctOrder then
              SetErrorData( SV_PROBLEM_DIR_ERROR, serviceError,
                             ERROR_DS_NO_CROSSREF_FOR_NC, pmsgOut, ver)
              return false
endif

And define the utility function DoAttributesSatisfyPreCheckForCreateNtdsDsa to perform the check:
DoAttributesSatisfyPreCheckForCreateNtdsDsa (
             e: ENTINF): Boolean
This procedure searches the ENTINF to verify that if both attributes hasMasterNCs and msDS-hastMasterNCs are present then msDS-hasMasterNCs comes before hasMasterNCs.  It returns false if both are present but in the wrong order; it returns true otherwise.

Thanks,
Edgar

-----Original Message-----
From: Garming Sam <garming at catalyst.net.nz> 
Sent: Sunday, July 28, 2019 4:59 PM
To: Tim Beale <timbeale at catalyst.net.nz>; Edgar Olougouna <edgaro at microsoft.com>
Cc: cifs-protocol at lists.samba.org; support <support at mail.support.microsoft.com>
Subject: Re: [cifs-protocol] [REG:119072421000317] MS-DRSR drsuapi IDL_DRSAddEntry AttrBlock order for nTDSDSA object?

Hi Edgar,

As far as I know, the DRS API is the authoritative way to add this particular record. Windows should be using this same procedure during its joins. It didn't seem like there's any detail about the order of DRSAddEntry having any implications (and even against LDAP, attributes shouldn't have any implicit ordering). If there is some additional semantic in this procedure, it does seem to belong here.

Cheers,

Garming

On 26/07/19 11:34 AM, Tim Beale via cifs-protocol wrote:
> Hi Edgar,
>
> I don't think I can add a nTDSDSA object over LDAP. I get:
> LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <000020A6: SvcErr:
> DSID-0305051B, problem 5003 (WILL_NOT_PERFORM)
>
> I think there might be a LDAP_SERVER_RODC_DCPROMO_OID control to 
> override this, but I couldn't figure out how to make that work.
>
> I'm using a 2012 R2 Server.
>
> Let me know if there's anything else you want me to try.
>
> Thanks,
> Tim
>
> On 26/07/19 9:03 AM, Edgar Olougouna wrote:
>> Sorry, I misread this at the beginning. It's DRS API. Is it something you can reproduce with LDAP? 
>> I am assuming there must a proper logic on how to create a nTDSDSA object, independently of the interface.
>>
>> Thanks,
>> Edgar
>>
>> -----Original Message-----
>> From: Edgar Olougouna
>> Sent: Wednesday, July 24, 2019 9:57 AM
>> To: Tim Beale <timbeale at catalyst.net.nz>
>> Cc: cifs-protocol at lists.samba.org; support 
>> <support at mail.support.microsoft.com>
>> Subject: RE: [REG:119072421000317] MS-DRSR drsuapi IDL_DRSAddEntry AttrBlock order for nTDSDSA object?
>>
>> Hello Tim,
>> Thank you for reaching out.
>> If you do have an extended error message with “ . . . LdapErr: DSID-xxxxxxxx …” please share that whole error string with me as it can help me narrow down what you are experiencing. You would see it in the LDAP error message.
>> One more thing, regarding the Windows OS version you are testing against, is it server 2012 or Server 2012 R2? 
>>
>> Thanks,
>> Edgar
>>
>>
>> -----Original Message-----
>> From: Bryan Burgin <bburgin at microsoft.com>
>> Sent: Wednesday, July 24, 2019 12:56 AM
>> To: Tim Beale <timbeale at catalyst.net.nz>
>> Cc: cifs-protocol at lists.samba.org; support 
>> <support at mail.support.microsoft.com>
>> Subject: [REG:119072421000317] MS-DRSR drsuapi IDL_DRSAddEntry AttrBlock order for nTDSDSA object?
>>
>> [dochelp to bcc]
>> [+support]
>>
>> Hi Tim,
>>
>> Thank you for your question.  We created SR 119072421000317 to track your issue.  An engineer will contact you soon.
>>
>> Bryan
>>
>> -----Original Message-----
>> From: Tim Beale <timbeale at catalyst.net.nz>
>> Sent: Tuesday, July 23, 2019 3:31 PM
>> To: Interoperability Documentation Help <dochelp at microsoft.com>
>> Cc: cifs-protocol at lists.samba.org
>> Subject: MS-DRSR drsuapi IDL_DRSAddEntry AttrBlock order for nTDSDSA object?
>>
>> Hi,
>>
>> We're hitting a strange problem when using the MS-DRSR drsuapi 
>> IDL_DRSAddEntry API to create a nTDSDSA object on a Windows AD DC 
>> (2012 server, running 2008R2 functional level). We're using the
>> DRS_MSG_ADDENTRYREQ_V2 message.
>>
>> The problem seems to be related to the order of the attributes in the AttrBlock. Specifically, HasMasterNCs and msDS-HasMasterNCs. If the HasMasterNCs attribute occurs in the AttrBlock before msDS-HasMasterNCs, then the RPC throws an ERROR_DS_NO_CROSSREF_FOR_NC error. But if the same attributes are used in a different order (msDS-HasMasterNCs before HasMasterNCs), then the RPC succeeds. There may be something else I'm missing here, so I've included the attribute order from a good/working and bad/failed case further below.
>>
>> It's easy enough for us to fix the AttrBlock order. I'm just trying 
>> to understand what the requirement here actually is. I may have 
>> missed something, but I couldn't see any documented requirement in 
>> MS-DRSR regarding the attribute order (i.e. section 4.1.1.3 'Server 
>> Behavior of the IDL_DRSAddEntry Method', or in the MS-ADTS sections 
>> 6.1.1.2.1.1 or
>> 6.1.1.2.2.1.2.1.1 that are referenced).
>>
>> The only reference to ERROR_DS_NO_CROSSREF_FOR_NC I could find in MS-DRSR was for IDL_DRSRemoveDsDomain.
>>
>> Could you please clarify if there are any protocol requirements on the order of the attributes in AttrBlock for the MS-DRSR drsuapi IDL_DRSAddEntry API?
>>
>> Thanks,
>> Tim
>>
>> Attribute order in good/working case:
>> 'dn',
>> 'objectclass',
>> 'systemFlags',
>> 'dMDLocation',
>> 'msDS-Behavior-Version',
>> 'msDS-HasDomainNCs',
>> 'objectCategory',
>> 'msDS-HasMasterNCs',
>> 'HasMasterNCs',
>> 'options',
>> 'invocationId',
>>
>> Attribute order in bad/failed case:
>> 'dn',
>> 'objectclass',
>> 'systemFlags',
>> 'dMDLocation',
>> 'msDS-Behavior-Version',
>> 'msDS-HasDomainNCs',
>> 'objectCategory',
>> 'HasMasterNCs',
>> 'msDS-HasMasterNCs',
>> 'options',
>> 'invocationId'
>>
>>
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at lists.samba.org
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
> s.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=02%7C01%7Ced
> garo%40microsoft.com%7Cea71fdf20c634fa9eff008d713a6bdaa%7C72f988bf86f1
> 41af91ab2d7cd011db47%7C1%7C0%7C636999479205966443&sdata=%2F%2FYIBM
> hpB9j1kVc8Ze%2BgBgXvUulKSWSF1%2Fm%2BVBKPNPQ%3D&reserved=0

More information about the cifs-protocol mailing list