[PATCH] Allow duplicate non local objectSIDs

Alexander Bokovoy ab at samba.org
Thu Nov 30 10:28:24 UTC 2017 

On to, 30 marras 2017, Stefan Metzmacher via samba-technical wrote:
> Hi Gary,
> 
> are we sure we only have to care about the local domain sid?
> 
> At least I read somewhere that the automatic creation of
> foreignSecurityPrincipal objects (which we don't support yet)
> is only done if the domain sid is not known anywhere in the forest.
> 
> Can you please check in a windows forest if it's possible to
> create a foreignSecurityPrincipal with an already existing sid
> from a different domain in the forest, as well as
> a non-existing sid, with a known domain sid part but a not yet used rid.
MS-ADTS has two important sections related to foreign principal objects:

3.1.1.5.2.4 Processing Specifics [of LDAP ADD operation]
-----
If the Add assigns a value to an FPO-enabled attribute (section
3.1.1.5.2.3) of the new object, and the DN value in the add request has
<SID=stringizedSid> format (section 3.1.1.3.1.2.4), then the DC creates
a corresponding foreignSecurityPrincipal object in the
ForeignSecurityPrincipals container (section 6.1.1.4.10) and assigns a
reference to the new foreignSecurityPrincipal object as the FPO-enabled
attribute value. [MS-SAMR] section 3.1.1.8.9 specifies the creation of
the foreignSecurityPrincipal object.
-----

and 

3.1.1.5.3.3 Processing Specifics [of LDAP MODIFY operation]
-----
If the modify assigns a value to an FPO-enabled attribute (section
3.1.1.5.2.3) of the existing object, and the DN value in the modify
request has <SID=stringizedSid> format (section 3.1.1.3.1.2.4), then the
DC creates a corresponding foreignSecurityPrincipal object in the
Foreign Security Principals Container (section 6.1.1.4.10) and assigns a
reference to the new foreignSecurityPrincipal object as the FPO-enabled
attribute value. [MS-SAMR] section 3.1.1.8.9 specifies the creation of
the foreignSecurityPrincipal object.
-----

Finally, MS-SAMR section 3.1.1.8.9 describes how this new
foreignSecurityPrincipal object should look like and which conditions
have to be satisfied to trigger creation of FPO when member attribute is
updated.

Conditions:

 - The value contains a SID-only dsname value.
 - The dsname value does not resolve to an existing object in the domain
   NC.
 - The server is in a DC configuration, and the domain prefix of the SID
   value is not equal to any domain SID in the forest; or the server is
   in a non-DC configuration, and the value is different than the
   account domain security identifier.

So you are right, Stefan, the domain SID of the object must be external
to the forest in case of a DC.

> 
> The same test should be done with the local domain sid.
> 
> Thanks!
> metze
> 
> Am 30.11.2017 um 02:37 schrieb Gary Lockyer via samba-technical:
> > Patch to allow duplicate objectSIDs for foreign security principals,
> > while requiring unique objectsSIDs for the primary domain.
> > 
> > Fixes BUG: https://bugzilla.samba.org/show_bug.cgi?id=13004
> > 
> > Review and push appreciated
> > 
> > Thanks Gary
> > 
> 
> 




-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list