Matthias, This seems a new issue even it is in the same section of the document. We will create a new case to keep track it. If there is a new issue in our communication in the future , please also copy docHelp, which is monitored by our team, so it will not be missed in case I am out of office or so.
As of this issue, could you give a little more description about the blackbox test which reproduces the behavior ? Thanks! Hongwei -----Original Message----- From: Matthias Dieter Wallnöfer [mailto:m...@samba.org] Sent: Monday, October 11, 2010 11:29 AM To: Hongwei Sun Cc: cifs-proto...@samba.org; MSSolve Case Email Subject: Re: [REG:110091558099846] RE: Incompleteness in MS-SAMR section 3.1.1.8.1 objectClass Hongwei, I think I've found another issue: always MS-SAMR 3.1.1.8.1 "objectClass" trigger - this time item 1.5. Windows doesn't seem to add always UF_PASSWD_NOT_REQD when objects using UF_WORKSTATION_TRUST_ACCOUNT are created. We've a blackbox test which reproduces this. Probably there is some explaination missing; that means under which cases PASSWD_NOT_REQD is added. Greets, Matthias Hongwei Sun wrote: > Matthias, > > Following up on this documentation update, I attached the changes made to > the MS-ADTS and MS-DRSR. > > BEFORE --- > 3.1.1.3.2.41 tokenGroups > Returns the SIDs contained in the security context as which the client has > authenticated the LDAP connection. See section 5.1.3. > > AFTER --- > 3.1.1.3.2.41 tokenGroups > Returns the SIDs contained in the security context as which the client has > authenticated the LDAP connection. Refer to section 5.1.3 for details on LDAP > Authorization. Refer to section 3.1.1.4.5.19 for details on the algorithm > used to compute this attribute. > > BEFORE --- > 3.1.1.4.9.6 DomainOf > procedure DomainOf(o: DSName): DSName > This procedure returns the DSName of the domain NC to which the given DSName > o belongs. It returns null upon failure. > > 3.1.1.4.9.7 GetDSNameFromPrimaryGroupId > procedure GetDSNameFromPrimaryGroupId(rid: Rid): DSName > This procedure constructs a SID s consisting of the domain SID of the DC's > default domain and the given relative identifier (RID) rid, and returns the > DSName of the object o for which o!objectSid = s. If no such object o exists, > then this procedure will return null. > > AFTER --- > 3.1.1.4.9.6 DomainOf > procedure DomainOf(o: DSName): DSName > This procedure returns the DSName of the domain NC to which the given DSName > o belongs. It returns null upon failure. > > <content added> > 3.1.1.4.9.7 GetDSNameOfEnterpriseRODCsGroup > procedure GetDSNameOfEnterpriseReadonlyDomainControllerGroup(): DSName > This procedure constructs a SID s consisting of the domain SID of the root > domain and the relative identifier (RID) of the Enterprise Read-only Domain > Controllers Group (as defined in section 7.1.1.6.14), and returns the DSName > of the object o for which o! objectSid = s. If no such object o exists, this > procedure returns null. > > 3.1.1.4.9.8 GetDSNameFromPrimaryGroupId > procedure GetDSNameFromPrimaryGroupId(rid: Rid): DSName > This procedure constructs a SID s consisting of the domain SID of the DC's > default domain and the given relative identifier (RID) rid, and returns the > DSName of the object o for which o!objectSid = s. If no such object o exists, > then this procedure will return null. > > > BEFORE --- > 3.1.1.4.9.10 GetMemberships Method > . . . > In the following pseudocode, the SID type is specified in [MS-DRDM] section > 5.126, the IsGC procedure is specified in [MS-DRDM] section 5.67, and the > DefaultNC procedure is specified in [MS-DRDM] section 5.20. > . . . > /* Get the initial result set from the graph. */ > wSet := {} > for i := 0 to msgIn.ppDsNames.cDsNames - 1 > u := msgIn.ppDsNames[i] > if u in vSet then > /* Get the subgraph by applying the predicate IsMatchedGroup > * on each element in the vertex set, plus u itself. */ > uSet := {u} + select all v from vSet where > IsMatchedGroup(v, op, msgIn.pLimitingDomain^) > if transitive then > wSet := wSet + (Closure(uSet, aSet, u) - {u}) > else > wSet := wSet + (Neighbors(uSet, aSet, u) - {u}) > endif > endif > endfor > . . . > > AFTER --- > 3.1.1.4.9.11 GetMemberships Method > . . . > In the following pseudocode, the ADS_UF_WORKSTATION_TRUST_ACCOUNT and > ADS_UF_PARTIAL_SECRETS_ACCOUNT flags are specified in section 2.2.15, the > userAccountControl attribute is specified in [MS-ADA3] section 2.341, the SID > type is specified in [MS-DRDM] section 5.126, the IsGC procedure is specified > in [MS-DRDM] section 5.67, and the DefaultNC procedure is specified in > [MS-DRDM] section 5.20. > . . . > /* Get the initial result set from the graph. */ > wSet := {} > for i := 0 to msgIn.ppDsNames.cDsNames - 1 > u := msgIn.ppDsNames[i] > if u in vSet then > /* Get the subgraph by applying the predicate IsMatchedGroup > * on each element in the vertex set, plus u itself. */ > uSet := {u} + select all v from vSet where > IsMatchedGroup(v, op, msgIn.pLimitingDomain^) > if transitive then > wSet := wSet + (Closure(uSet, aSet, u) - {u}) > else > wSet := wSet + (Neighbors(uSet, aSet, u) - {u}) > endif > if((u!userAccountControl& ADS_UF_WORKSTATION_TRUST_ACCOUNT = > ADS_UF_WORKSTATION_TRUST_ACCOUNT) or > (u!userAccountControl& ADS_UF_PARTIAL_SECRETS_ACCOUNT = > ADS_UF_PARTIAL_SECRETS_ACCOUNT)) > > wSet := wSet + GetDSNameOfEnterpriseRODCsGroup() > endif > endif > endfor > . . . > > Thanks! > > Hongwei > > > -----Original Message----- > From: Matthias Dieter Wallnöfer [mailto:m...@samba.org] > Sent: Wednesday, September 22, 2010 7:42 AM > To: Hongwei Sun > Cc: cifs-proto...@samba.org; MSSolve Case Email > Subject: Re: [REG:110091558099846] RE: Incompleteness in MS-SAMR section > 3.1.1.8.1 objectClass > > Okay! > > Greets, > Matthias Wallnöfer > > Hongwei Sun wrote: > >> Matthias, >> >> Thanks for raising this issue with us. First, We will add the missing >> definitions for UF_PARTIAL_SECRETS_ACCOUNT (0x4000000) to 2.2.1.13 MS-SAMR, >> USER_PARTIAL_SECRETS_ACCOUNT (0x00100000) to 2.2.1.12 MS-SAMR and >> DOMAIN_GROUP_RID_READONLY_DCS(0x00000209) to 2.2.1.14 MS-SAMR. In >> 3.1.1.8.1 MS-SAMR, we will add the following entry to the table in item 4 >> showing that if userAccountContol has bits UF_WORKSTATION_TRUST_ACCOUNT& >> UF_PARTIAL_SECRETS_ACCOUNT , the primaryGroupId attribute MUST be updated >> with DOMAIN_GROUP_RID_READONLY_CONTROLLERS. >> >> We are in the process to update the document. The changes will appear in >> the future release of the document. Please let us know if you have any >> further question. If not, I will consider this issue resolved. >> >> Thanks! >> >> Hongwei >> >> > > _______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
