114103111975376 [MS-ADTS] 3.1.1.5.3.7.3 Undelete Processing Specifics Clarification

Sreekanth Nadendla srenaden at microsoft.com
Fri Dec 12 21:33:23 MST 2014 

Hello Kamen,
                        Below is the formal change to our spec. Also there is no workaround to control objectCategory value.

3.1.1.5.3.7.2   Undelete Constraints
Added text to indicate that the objectCategory attribute of the target object cannot be specified as part of  the undelete operation if the object is part of the base schema.

Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

From: kamenim at gmail.com [mailto:kamenim at gmail.com] On Behalf Of Kamen Mazdrashki
Sent: Wednesday, November 26, 2014 10:38 PM
To: Sreekanth Nadendla
Cc: MSSolve Case Email; samba-technical
Subject: Re: 114103111975376 [MS-ADTS] 3.1.1.5.3.7.3 Undelete Processing Specifics Clarification

hi Sreekanth,

That definetely answers my question.
Thanks a lot

Regards,
Kamen


On Wed, Nov 26, 2014 at 5:15 PM, Sreekanth Nadendla <srenaden at microsoft.com<mailto:srenaden at microsoft.com>> wrote:
That seems correct per implementation as of now. Which definitively answers your question. Let me know if you have concerns.
What I am working on at the moment is on finding additional information so that if there is a different way to do this, I want to inform you that.


Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

From: kamenim at gmail.com<mailto:kamenim at gmail.com> [mailto:kamenim at gmail.com<mailto:kamenim at gmail.com>] On Behalf Of Kamen Mazdrashki
Sent: Wednesday, November 26, 2014 10:11 AM
To: Sreekanth Nadendla
Cc: MSSolve Case Email; samba-technical

Subject: Re: 114103111975376 [MS-ADTS] 3.1.1.5.3.7.3 Undelete Processing Specifics Clarification

Hi Sreekanth,

Thank you for you answer.
Just to confirm my understanding: objectCategory attribute value can not be changed by originating update.

Best regards,
Kamen

On Wed, Nov 26, 2014 at 2:25 PM, Sreekanth Nadendla <srenaden at microsoft.com<mailto:srenaden at microsoft.com>> wrote:
Hello Kamen,
Thanks for confirming. When I debugged this at my end, I found that only a DRA or DSA is allowed to modify the objectCategory of an instance of a base schema class. That is why we are seeing error LDAP_UNWILLING_TO_PERFORM. So if “By design” there shouldn’t be a mechanism to achieve this then the document should be more clear. Otherwise, it should be addressed by a fix in the product. Either way MS-ADTS could be more clear. We should have final answer from product team soon.


Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

From: kamenim at gmail.com<mailto:kamenim at gmail.com> [mailto:kamenim at gmail.com<mailto:kamenim at gmail.com>] On Behalf Of Kamen Mazdrashki
Sent: Wednesday, November 26, 2014 12:37 AM
To: Sreekanth Nadendla
Cc: MSSolve Case Email
Subject: Re: 114103111975376 [MS-ADTS] 3.1.1.5.3.7.3 Undelete Processing Specifics Clarification

Hi Sreekanth,

Please find my comments inline

On Wed, Nov 26, 2014 at 4:18 AM, Sreekanth Nadendla <srenaden at microsoft.com<mailto:srenaden at microsoft.com>> wrote:
Hello Kamen,
               The MS-ADTS specification already says "when an object is deleted and transformed into a tombstone, objectCategory values, sAMAccountType values, and any linked attribute values on it are always removed."   So this means restoring to previous value is not an option.

I’ve reproduced the issue in Win2012 R2, reviewed source code and having it verified by product team so that they can update the document to be more clear. Specifically you were looking to specify a non-default value for objectCategory during undelete/reanimation so that the object gets restored with a value of your choice in case you do not want the default value that it would be assigned otherwise. Correct ?

I wanted to clarify following section regarding special modify operation to undelete objects (numbering is from me):
"[1] If the user did not specify the value for objectCategory<http://msdn.microsoft.com/en-us/library/cc221011.aspx> attribute, and [2] the target object did not have this value retained at the time of deletion, [3] then the default objectCategory<http://msdn.microsoft.com/en-us/library/cc221011.aspx> attribute is written, as obtained from the objectClass's<http://msdn.microsoft.com/en-us/library/cc221012.aspx>defaultObjectCategory<http://msdn.microsoft.com/en-us/library/cc219806.aspx> value"

[2] and [3] are clear to me -> we don't have objectCategory retained so we should restore it to default value.
The way I am reading [1] though implies, that modify requet "may" have "objectCategory" attribute set.
In which case, restored object should be restored with the specified value. Hence, in a way,
while restoring an object, we can set the objectCategory attribute to arbitrary value. This is how I read it.
In practice though Windows return UnwillingToPerform.

So my ultimate question is: I can OR I can not restore objectCategory attribute value to a non-default
value sending Undelete object request?

Best regards,
Kamen Mazdrashki


Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

From: Sreekanth Nadendla
Sent: Monday, November 3, 2014 4:43 PM
To: 'Kamen Mazdrashki'
Cc: samba-technical; cifs-protocol at samba.org<mailto:cifs-protocol at samba.org>; MSSolve Case Email
Subject: 114103111975376 [MS-ADTS] 3.1.1.5.3.7.3 Undelete Processing Specifics Clarification

Hello Kamen,
I am the engineer who will be working with you on this issue. I am currently researching the problem and will provide you with an update soon. Thank you for your patience.


Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

From: kamenim at gmail.com<mailto:kamenim at gmail.com> [mailto:kamenim at gmail.com] On Behalf Of Kamen Mazdrashki
Sent: Thursday, October 30, 2014 11:08 PM
To: Interoperability Documentation Help; cifs-protocol at samba.org<mailto:cifs-protocol at samba.org>
Cc: samba-technical
Subject: [MS-ADTS] 3.1.1.5.3.7.3 Undelete Processing Specifics Clarification

Dear Dochelp team,

I am currently working on Tombstone reanimation implementation in Samba
and I am having troubles to understand how objectCategory attribute should
be processed.

According to http://msdn.microsoft.com/en-us/library/cc223470.aspx
objectCategory attribute should be restored to its default value in case
it is *not* specified by the user. I guess this mean it is not specified in
the special ldap modify request.

I am testing against Windows Server 2008 R2 with Forest Functional level "2008 R2"

  1.  when objectCategory is not specified, everything is fine
  2.  when objectCategory is specified though, I am always getting
LDAP_UNWILLING_TO_PERFORM error. I have tried both to
"reaplace" and "add" this attribute - same result. Please see attached ldif
My question is: how to specify this attribute so I am able to control the value?

Best Regards,
Kamen Mazdrashki

More information about the samba-technical mailing list