[cifs-protocol] RE: How is LSA_FOREST_TRUST_BINARY_DATA filled in?
Andrew, Thank you for submitting this issue, an engineer will get back to you shortly. We have created a case for tracking and the case number is SRX081013600063. Richard Guthrie Open Protocols Support Team Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM Tel: +1 (469) 775-7794 E-mail: [EMAIL PROTECTED] -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Monday, October 13, 2008 3:55 AM To: Interoperability Documentation Help Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: How is LSA_FOREST_TRUST_BINARY_DATA filled in? In MS-LSAD 2.2.67 it indicates the following structure: LSA_FOREST_TRUST_BINARY_DATA The LSA_FOREST_TRUST_BINARY_DATA structure is used to communicate a forest trust record. typedef struct _LSA_FOREST_TRUST_BINARY_DATA { unsigned long Length; [size_is(Length)] unsigned char* Buffer; } LSA_FOREST_TRUST_BINARY_DATA, *PLSA_FOREST_TRUST_BINARY_DATA; What fills in this binary structure? This is used in 2.2.69 LSA_FOREST_TRUST_RECORD. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] RE: (more) Backing store for Trusted domain object creation time and flags
Andrew, I will be working this issue with you. I need to do some research regarding the problem you are seeing but will get back to you shortly. The case # for this issue is SRX081013600078. Richard Guthrie Open Protocols Support Team Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM Tel: +1 (469) 775-7794 E-mail: [EMAIL PROTECTED] -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Monday, October 13, 2008 4:00 AM To: Interoperability Documentation Help Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: (more) Backing store for Trusted domain object creation time and flags In 2.2.69 LSA_FOREST_TRUST_RECORD it states: typedef struct _LSA_FOREST_TRUST_RECORD { unsigned long Flags; LSA_FOREST_TRUST_RECORD_TYPE ForestTrustType; LARGE_INTEGER Time; Time: The date and time when this entry was created. It is a 64-bit value that represents the number of 100-nanosecond intervals since January 1, 1601, UTC. I presume this is just the whenCreated attribute on this record, but no link is made. However, I'm more puzzled by the 'Flags' - where does this come from (in terms of LDAP attributes)? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] RE: (more) Backing store for Trusted domain object creation time and flags
Good morning Andrew. Thank you for raising the questions! I have created the following case for you; one of me team mates or myself will take ownership of the case shortly and will contact you. SRX081013600072 [MS-LSAD] 2.2.69 LSA_FOREST_TRUST_RECORD LDAP Regards, Bill Wesse MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Monday, October 13, 2008 5:00 AM To: Interoperability Documentation Help Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: (more) Backing store for Trusted domain object creation time and flags In 2.2.69 LSA_FOREST_TRUST_RECORD it states: typedef struct _LSA_FOREST_TRUST_RECORD { unsigned long Flags; LSA_FOREST_TRUST_RECORD_TYPE ForestTrustType; LARGE_INTEGER Time; Time: The date and time when this entry was created. It is a 64-bit value that represents the number of 100-nanosecond intervals since January 1, 1601, UTC. I presume this is just the whenCreated attribute on this record, but no link is made. However, I'm more puzzled by the 'Flags' - where does this come from (in terms of LDAP attributes)? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] RE: How is LSA_FOREST_TRUST_BINARY_DATA filled in?
Andrew, Please disregard this email. Bill Wesse has sent you the correct case #. Richard Guthrie Open Protocols Support Team Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM Tel: +1 (469) 775-7794 E-mail: [EMAIL PROTECTED] -Original Message- From: Richard Guthrie Sent: Monday, October 13, 2008 8:22 AM To: 'Andrew Bartlett' Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: How is LSA_FOREST_TRUST_BINARY_DATA filled in? Andrew, Thank you for submitting this issue, an engineer will get back to you shortly. We have created a case for tracking and the case number is SRX081013600063. Richard Guthrie Open Protocols Support Team Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM Tel: +1 (469) 775-7794 E-mail: [EMAIL PROTECTED] -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Monday, October 13, 2008 3:55 AM To: Interoperability Documentation Help Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: How is LSA_FOREST_TRUST_BINARY_DATA filled in? In MS-LSAD 2.2.67 it indicates the following structure: LSA_FOREST_TRUST_BINARY_DATA The LSA_FOREST_TRUST_BINARY_DATA structure is used to communicate a forest trust record. typedef struct _LSA_FOREST_TRUST_BINARY_DATA { unsigned long Length; [size_is(Length)] unsigned char* Buffer; } LSA_FOREST_TRUST_BINARY_DATA, *PLSA_FOREST_TRUST_BINARY_DATA; What fills in this binary structure? This is used in 2.2.69 LSA_FOREST_TRUST_RECORD. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] Status: SRX080811600226 ([MS-NRPC] 2.2.1.3.12 Trust Account Details) superceded by SRX081013600536: [MS-NRPC] operation backing store linkages
Good morning Andrew. Since the original comments and questions you raised in SRX080811600226 about backup store linkages did not result in any material updates to the documents, I have created SRX081013600536 for continuance (and have closed SRX080811600226). I am currently beginning a study of the MS-NRPC operation parameters, in order to compile a cross reference list, which I will submit to development as a well-annotated table, with back references to the operations sections. I am not sure at this time which of the columns should be the independent column (parameter or AD attribute). I would appreciate your input on this point, as you undoubtedly have a better insight than I into document usage. Sorry it took me this long to get to this point. == Question: The MS-NRPC document does not specify the linkage to the backing store for any of it's operations. For example, the NetServerAuthenticate3 query talks only about client computer accounts, but in 2.2.1.3.12 NETLOGON_SECURE_CHANNEL_TYPE, interdomain trust accounts are described. == Response: Some of this data is already described in the document. Section 3.1.1. Abstract Data Model has entry for SharedSecret along with description of where the data is stored. Only as an obscure 'microsoft behaviour note'. This is not a minor detail of protocol behaviour, and deserves to be referenced in a major table matching protocol elements with their underlying backing store. This table is what I want to see across all the protocols - as the double-mapping between protocol structure elements, abstract data modals and the occasional Microsoft behaviour notes detailing the backing store is a big problem. Similarly, because it is do dispersed, it is not possible for you to show completeness in the mapping either. Computer accounts are stored in AD under the CN=Computers and trusts are stored in Trusted Domain Objects described in section 7.1.6.2 of [MS-ADTS]. Please refer to our response (currently incomplete) concerning trust backing store information against the other case we are working on for you: SRX080731600024 [MS-ADTS] 7.1.6 Relationship between trusted domain objects == Question: It makes sense that these both refer to computer and domain trust accounts found under cn=users, but this is not specified, nor are the attributes used specified. Similarly, the NetrSetPassword2 call sets a trust account password, but the operation of this call - what LDAP/DRS visible attribute it changes - are not specified. == Response: This data is already described in the document. Section 3.1.1. Abstract Data Model has entry for SharedSecret along with description of where the data is stored. Except changing a password does far more than simply change the value of unicodePwd. This is the problem with the proxy via the abstract data modal - it misses details. == Question: Please start with these, but to also note that, the 3.5.4.5.2 NetrDatabaseSync{,2} calls need the same level of specification. These are just examples - like in my request regarding LSA, can you please clarify for the whole document which protocol buffers line up with which objects and attributes in the underlying database. == Response: Since this is RPC based protocol, there are no buffers to be described. The only exception is the Netlogon SSP documentation, but those are covered by the above two responses. Please could you re-read and re-answer the question in a more broad light, taking buffers as a synonym for perhaps RPC protocol structure elements? Thanks Regards, Bill Wesse MCSE, MCTS / Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] RE: Microsoft Client tool expectatations
Andrew, I just want to check with you about the current status of the domain trust issue between Windows 2008 server and Samba4. I know that you have made significant progresses during Interop Lab Event. Please let me know whether I can close this case if you don't have any issue left. Thanks -- Hongwei Sun - Sr. Support Escalation Engineer DSC Protocol Team, Microsoft [EMAIL PROTECTED] Tel: 469-7757027 x 57027 --- -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Monday, September 08, 2008 7:22 AM To: Interoperability Documentation Help Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Microsoft Client tool expectatations How do I determine what LDAP values a Microsoft client tool is expecting? For example, with the attached patch against current GIT, I cannot make windows 2008 join Samba4 as a 2-way, forest level trusted domain. It seems something is wrong with what we return to cn=partitions,cn=configuration, Similarly, against our current GIT tree, the Win2k3 admin pack on WinXP won't launch 'Active Directory Users and Computers' against Samba4. The error seems to be in response to our return value for the cn=aggregate schema. In both cases, I just have cryptic error messages. How can I determine what these tools are expecting? Attached please find network traces for both the 2008 server attempting to join the trust and a WinXP machine trying to open 'Active Directory Users and Computers'. (keytab to follow in private mail) The join fails with: 'unable to read the functional level of the forest' Cannot convert to/from the native DS datatype. The ADUC launch fails with: 'unspecified error'. (This used to work, before I 'fixed' some schema stuff). Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] RE: Microsoft Client tool expectatations
On Mon, 2008-10-13 at 12:29 -0700, Hongwei Sun wrote: Andrew, I just want to check with you about the current status of the domain trust issue between Windows 2008 server and Samba4. I know that you have made significant progresses during Interop Lab Event. Please let me know whether I can close this case if you don't have any issue left. I'll open new cases for any more issues we find. Lots of things got fixed with the work at the IO lab. I'm raising new issues for the questions I have (as it fails on an RPC op that we don't implement) once we got past this point. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. signature.asc Description: This is a digitally signed message part ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol