[cifs-protocol] RE: How is LSA_FOREST_TRUST_BINARY_DATA filled in?
Andrew,
Thank you for submitting this issue, an engineer will get back to you shortly.
We have created a case for tracking and the case number is SRX081013600063.
Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: [EMAIL PROTECTED]
-Original Message-
From: Andrew Bartlett [mailto:[EMAIL PROTECTED]
Sent: Monday, October 13, 2008 3:55 AM
To: Interoperability Documentation Help
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: How is LSA_FOREST_TRUST_BINARY_DATA filled in?
In MS-LSAD 2.2.67 it indicates the following structure:
LSA_FOREST_TRUST_BINARY_DATA
The LSA_FOREST_TRUST_BINARY_DATA structure is used to communicate a forest
trust record.
typedef struct _LSA_FOREST_TRUST_BINARY_DATA {
unsigned long Length;
[size_is(Length)] unsigned char* Buffer;
} LSA_FOREST_TRUST_BINARY_DATA,
*PLSA_FOREST_TRUST_BINARY_DATA;
What fills in this binary structure? This is used in 2.2.69
LSA_FOREST_TRUST_RECORD.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
___
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] RE: (more) Backing store for Trusted domain object creation time and flags
Andrew,
I will be working this issue with you. I need to do some research regarding
the problem you are seeing but will get back to you shortly. The case # for
this issue is SRX081013600078.
Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: [EMAIL PROTECTED]
-Original Message-
From: Andrew Bartlett [mailto:[EMAIL PROTECTED]
Sent: Monday, October 13, 2008 4:00 AM
To: Interoperability Documentation Help
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: (more) Backing store for Trusted domain object creation time and flags
In 2.2.69 LSA_FOREST_TRUST_RECORD it states:
typedef struct _LSA_FOREST_TRUST_RECORD {
unsigned long Flags;
LSA_FOREST_TRUST_RECORD_TYPE ForestTrustType;
LARGE_INTEGER Time;
Time: The date and time when this entry was created. It is a 64-bit value that
represents the
number of 100-nanosecond intervals since January 1, 1601, UTC.
I presume this is just the whenCreated attribute on this record, but no link is
made.
However, I'm more puzzled by the 'Flags' - where does this come from (in terms
of LDAP attributes)?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
___
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] RE: (more) Backing store for Trusted domain object creation time and flags
Good morning Andrew. Thank you for raising the questions! I have created the
following case for you; one of me team mates or myself will take ownership of
the case shortly and will contact you.
SRX081013600072 [MS-LSAD] 2.2.69 LSA_FOREST_TRUST_RECORD LDAP
Regards,
Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL: +1(980) 776-8200
CELL: +1(704) 661-5438
FAX: +1(704) 665-9606
-Original Message-
From: Andrew Bartlett [mailto:[EMAIL PROTECTED]
Sent: Monday, October 13, 2008 5:00 AM
To: Interoperability Documentation Help
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: (more) Backing store for Trusted domain object creation time and flags
In 2.2.69 LSA_FOREST_TRUST_RECORD it states:
typedef struct _LSA_FOREST_TRUST_RECORD {
unsigned long Flags;
LSA_FOREST_TRUST_RECORD_TYPE ForestTrustType;
LARGE_INTEGER Time;
Time: The date and time when this entry was created. It is a 64-bit value that
represents the
number of 100-nanosecond intervals since January 1, 1601, UTC.
I presume this is just the whenCreated attribute on this record, but no link is
made.
However, I'm more puzzled by the 'Flags' - where does this come from (in terms
of LDAP attributes)?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
___
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] RE: How is LSA_FOREST_TRUST_BINARY_DATA filled in?
Andrew,
Please disregard this email. Bill Wesse has sent you the correct case #.
Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: [EMAIL PROTECTED]
-Original Message-
From: Richard Guthrie
Sent: Monday, October 13, 2008 8:22 AM
To: 'Andrew Bartlett'
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: How is LSA_FOREST_TRUST_BINARY_DATA filled in?
Andrew,
Thank you for submitting this issue, an engineer will get back to you shortly.
We have created a case for tracking and the case number is SRX081013600063.
Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: [EMAIL PROTECTED]
-Original Message-
From: Andrew Bartlett [mailto:[EMAIL PROTECTED]
Sent: Monday, October 13, 2008 3:55 AM
To: Interoperability Documentation Help
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: How is LSA_FOREST_TRUST_BINARY_DATA filled in?
In MS-LSAD 2.2.67 it indicates the following structure:
LSA_FOREST_TRUST_BINARY_DATA
The LSA_FOREST_TRUST_BINARY_DATA structure is used to communicate a forest
trust record.
typedef struct _LSA_FOREST_TRUST_BINARY_DATA {
unsigned long Length;
[size_is(Length)] unsigned char* Buffer;
} LSA_FOREST_TRUST_BINARY_DATA,
*PLSA_FOREST_TRUST_BINARY_DATA;
What fills in this binary structure? This is used in 2.2.69
LSA_FOREST_TRUST_RECORD.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
___
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] Status: SRX080811600226 ([MS-NRPC] 2.2.1.3.12 Trust Account Details) superceded by SRX081013600536: [MS-NRPC] operation backing store linkages
Good morning Andrew. Since the original comments and questions you raised in
SRX080811600226 about backup store linkages did not result in any material
updates to the documents, I have created SRX081013600536 for continuance (and
have closed SRX080811600226).
I am currently beginning a study of the MS-NRPC operation parameters, in order
to compile a cross reference list, which I will submit to development as a
well-annotated table, with back references to the operations sections. I am not
sure at this time which of the columns should be the independent column
(parameter or AD attribute). I would appreciate your input on this point, as
you undoubtedly have a better insight than I into document usage.
Sorry it took me this long to get to this point.
==
Question:
The MS-NRPC document does not specify the linkage to the backing store
for any of it's operations.
For example, the NetServerAuthenticate3 query talks only about client
computer accounts, but in 2.2.1.3.12 NETLOGON_SECURE_CHANNEL_TYPE,
interdomain trust accounts are described.
==
Response:
Some of this data is already described in the document. Section 3.1.1.
Abstract Data Model has entry for SharedSecret along with description
of where the data is stored.
Only as an obscure 'microsoft behaviour note'. This is not a minor detail of
protocol behaviour, and deserves to be referenced in a major table matching
protocol elements with their underlying backing store.
This table is what I want to see across all the protocols - as the
double-mapping between protocol structure elements, abstract data modals and
the occasional Microsoft behaviour notes detailing the backing store is a big
problem.
Similarly, because it is do dispersed, it is not possible for you to show
completeness in the mapping either.
Computer accounts are stored in AD under the CN=Computers and trusts
are stored in Trusted Domain Objects described in section 7.1.6.2 of
[MS-ADTS].
Please refer to our response (currently incomplete) concerning trust
backing store information against the other case we are working on for
you: SRX080731600024 [MS-ADTS] 7.1.6 Relationship between trusted
domain objects
==
Question:
It makes sense that these both refer to computer and domain trust
accounts found under cn=users, but this is not specified, nor are the
attributes used specified.
Similarly, the NetrSetPassword2 call sets a trust account password,
but the operation of this call - what LDAP/DRS visible attribute it
changes - are not specified.
==
Response:
This data is already described in the document. Section 3.1.1.
Abstract Data Model has entry for SharedSecret along with description
of where the data is stored.
Except changing a password does far more than simply change the value of
unicodePwd. This is the problem with the proxy via the abstract data modal -
it misses details.
==
Question:
Please start with these, but to also note that, the 3.5.4.5.2
NetrDatabaseSync{,2} calls need the same level of specification.
These are just examples - like in my request regarding LSA, can you
please clarify for the whole document which protocol buffers line up
with which objects and attributes in the underlying database.
==
Response:
Since this is RPC based protocol, there are no buffers to be
described. The only exception is the Netlogon SSP documentation, but
those are covered by the above two responses.
Please could you re-read and re-answer the question in a more broad light,
taking buffers as a synonym for perhaps RPC protocol structure elements? Thanks
Regards,
Bill Wesse
MCSE, MCTS / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL: +1(980) 776-8200
CELL: +1(704) 661-5438
FAX: +1(704) 665-9606
___
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] RE: Microsoft Client tool expectatations
Andrew, I just want to check with you about the current status of the domain trust issue between Windows 2008 server and Samba4. I know that you have made significant progresses during Interop Lab Event. Please let me know whether I can close this case if you don't have any issue left. Thanks -- Hongwei Sun - Sr. Support Escalation Engineer DSC Protocol Team, Microsoft [EMAIL PROTECTED] Tel: 469-7757027 x 57027 --- -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Monday, September 08, 2008 7:22 AM To: Interoperability Documentation Help Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Microsoft Client tool expectatations How do I determine what LDAP values a Microsoft client tool is expecting? For example, with the attached patch against current GIT, I cannot make windows 2008 join Samba4 as a 2-way, forest level trusted domain. It seems something is wrong with what we return to cn=partitions,cn=configuration, Similarly, against our current GIT tree, the Win2k3 admin pack on WinXP won't launch 'Active Directory Users and Computers' against Samba4. The error seems to be in response to our return value for the cn=aggregate schema. In both cases, I just have cryptic error messages. How can I determine what these tools are expecting? Attached please find network traces for both the 2008 server attempting to join the trust and a WinXP machine trying to open 'Active Directory Users and Computers'. (keytab to follow in private mail) The join fails with: 'unable to read the functional level of the forest' Cannot convert to/from the native DS datatype. The ADUC launch fails with: 'unspecified error'. (This used to work, before I 'fixed' some schema stuff). Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] RE: Microsoft Client tool expectatations
On Mon, 2008-10-13 at 12:29 -0700, Hongwei Sun wrote: Andrew, I just want to check with you about the current status of the domain trust issue between Windows 2008 server and Samba4. I know that you have made significant progresses during Interop Lab Event. Please let me know whether I can close this case if you don't have any issue left. I'll open new cases for any more issues we find. Lots of things got fixed with the work at the IO lab. I'm raising new issues for the questions I have (as it fails on an RPC op that we don't implement) once we got past this point. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. signature.asc Description: This is a digitally signed message part ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
