[cifs-protocol] [REG:119102421000015] MS-ADTS dirsync and extended-dn interactions

Edgar Olougouna edgaro at microsoft.com
Thu Oct 24 00:52:18 UTC 2019

Thanks for looking further into this and reaching out. Based on your experimentation, does it mean that one control implies the other, meaning it's only one control effectively? Or are you observing that one supersedes the other? Is this a version specific or functional-level specific behavior?
I'll review this and follow-up.

-----Original Message-----
From: Jeff McCashland <jeffm at microsoft.com> 
Sent: Wednesday, October 23, 2019 8:13 PM
To: Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org
Cc: bjacke at samba.org; Stefan Metzmacher <metze at samba.org>; support <support at mail.support.microsoft.com>
Subject: [REG:119102421000015] MS-ADTS dirsync and extended-dn interactions

[DocHelp to BCC, support on CC, SR ID on Subject]

Hi Andrew,

Thank you for your Active Directory question. We have created SR 119102421000015 to track this issue. One of our engineers will respond soon to assist.

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=02%7C01%7Cedgaro%40microsoft.com%7C0fc12a220333491d0eaa08d75816e61b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637074727681835459&sdata=v9ch40MkTuGBBz6pPX45p%2BYBkPhK0wb7GZwK370%2B%2F0I%3D&reserved=0 | Extension 1138300 We value your feedback.  My manager is Jeremy Chapman (jeremyc), +1 (469) 775-2475

-----Original Message-----
From: Andrew Bartlett <abartlet at samba.org>
Sent: Wednesday, October 23, 2019 3:27 PM
To: cifs-protocol at lists.samba.org
Cc: Interoperability Documentation Help <dochelp at microsoft.com>; bjacke at samba.org; Stefan Metzmacher <metze at samba.org>
Subject: MS-ADTS dirsync and extended-dn interactions


Per a call with Edgar and Brian today.

While looking at a Samba fix for our Samba AD DC being contacted by Microsoft Azure, I notied that the interaction that is fixed by this Samba bug isn't clearly documented:


That is, while MS-ATDS specified both of these controls and while LDAP_SERVER_DIRSYNC_OID implies LDAP_SERVER_EXTENDED_DN_OID (not that I coudl find that documented in a brief serch), the inteaction is not ccalled out.

That is, as I understand it from the patch, during dirsync if LDAP_SERVER_EXTENDED_DN_OID is specified explicitly, then the returned data format (0 - the default, or 1) comes from that control.

It would be good if this was made clearer.


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org&data=02%7C01%7Cedgaro%40microsoft.com%7C0fc12a220333491d0eaa08d75816e61b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637074727681840437&sdata=swARbMPGbAElOA6YLj2bG78JaXXEKUKeeb7VZtzV8oI%3D&reserved=0
Samba Development and Support, Catalyst IT

More information about the cifs-protocol mailing list