[cifs-protocol] [REG:111080976529107] RE: Behavior explanation on subtree delete control behavior with iscriticalsystemobject
Matthieu, I finished the investigation on this behavior. As per MS-ADTS 3.1.5.5.7.2 , when a tree deletion is performed , every object in the tree will be checked to see if it has isCriticalSystemObject set to TRUE, including the root node on which the delete operation is performed. But there is an exception if the root object is a SAM specific objects(3.1.1.5.2.3 MS-ADTS). Its deletion is done through SAM manger and isCriticalSystemObject attribute is not checked. The root node of the tree delete in your case is CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net ,which is a SAM object with user class. Therefore the tree deletion is performed without any error. I performed another test in which I tried to do a tree delete on an object with isCriticalSystemObject set to TRUE, but the object itself is not a SAM object, I received an error as expected. The object I tried to delete is cn=ForeignSecurityPricipals, DC=Contoso,DC=com I will file a request for this behavior to be documented in the constraint of tree deletion section (3.1.1.5.5.7.2 MS-ADTS). Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Friday, August 12, 2011 4:19 PM To: Hongwei Sun Cc: p...@tridgell.net; cifs-proto...@samba.org Subject: Re: Behavior explanation on subtree delete control behavior with iscriticalsystemobject On 12/08/2011 07:56, Hongwei Sun wrote: > Hi, Matthieu, > >I have trouble to decrypt the LDAP packets in the trace. Have you used > Wireshark to do that? Yes, With the keytab provided you do wireshark -K path_to_keytab trace.pcap, Wireshark must be configurated to decrypt krb5 blobs (see https://wiki.samba.org/index.php/Wireshark_Keytab). > Did the packet 1848 define a delete operation on record #1 with > LDAP_SERVER_TREE_DELETE_OID specified?Have you checked that both records > are not in the AD any more after tree deletion ? Yes check the attached screenshot. And yes all the objects are removed. I've the feeling that the isCriticalObject rule apply only for the subobjects, that is to say if I CN=foo,CN=bar,DC=domain,DC=tld with isCriticalObject then if I try to use the subtree on CN=bar,DC=domain,DC=tld it should fail. But if the isCriticalObject is only on CN=bar,DC=domain,DC=tld then the use of the deltree is permited. Matthieu. > Thanks! > > Hongwei > > > -Original Message- > From: Matthieu Patou [mailto:m...@samba.org] > Sent: Tuesday, August 09, 2011 4:08 PM > To: Interoperability Documentation Help; p...@tridgell.net; > cifs-proto...@samba.org > Subject: Behavior explanation on subtree delete control behavior with > iscriticalsystemobject > > Hello, > > I found an interesting problem > > In MS-ADTS it is said: > > 3.1.1.5.5.7.2 Tree-delete Constraints > All regular delete operation constraints apply on each object being deleted. > The tree-delete operation may not be applied to an NC root. > Objects with isCriticalSystemObject attribute equal to true may not be > deleted by the tree-delete operation (this also applies to objects in the > subtree being deleted). > This constraint is checked > object-by-object, and deletion stops if some deletion would violate this > constraint. Because, as explained in the next section, deleted objects never > have children, the result after deletion stops due to this constraint is a > tree. The resultant tree may not be the same as the original tree because > some objects may have been deleted prior to the failure. > > My understanding is that if you try to deleted an object that has the > isCriticalSystemObject attribute set to TRUE or one of the object bellow in > its tree then the operation should failed. > > Did I get the meaning right ? > > If so can you explain me how with this configuration: > > ./bin/ldbsearch -H ldap://172.16.100.27 -U administrator%totoTATA321 -b > "CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net" > isCriticalSystemObject > # record 1 > dn: CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net > isCriticalSystemObject: TRUE > > # record 2 > dn: CN=RID Set,CN=ARES,OU=Domain > Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net > > The delete with subtree control on the following trace at packet 1848 is > working. > > Thanks. > > Matthieu. > > -- > Matthieu Patou > Samba Teamhttp://samba.org > Private repo http://git.samba.org/?p=mat/samba.git;a=summary > > -- Matthieu Patou Samba Teamhttp://samba.org Private repo http://git.samba.org/?p=mat/samba.git;a=summary ___ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] [REG:111080976529107] RE: Behavior explanation on subtree delete control behavior with iscriticalsystemobject
Hi Hongwei, I'm not sure I have 100% understood, please allow me to try to reformulate. So the basic rule for isCriticalSystemObject is correct when you use the subtree delete control, but if the object has one of its objectclass in the SAM specific object list (3.1.1.5.2.3) then isCriticalSystemObject is not checked am I right ? Or there is more constraint to check ? Matthieu. On 20/08/2011 00:52, Hongwei Sun wrote: Matthieu, I finished the investigation on this behavior. As per MS-ADTS 3.1.5.5.7.2 , when a tree deletion is performed , every object in the tree will be checked to see if it has isCriticalSystemObject set to TRUE, including the root node on which the delete operation is performed. But there is an exception if the root object is a SAM specific objects(3.1.1.5.2.3 MS-ADTS). Its deletion is done through SAM manger and isCriticalSystemObject attribute is not checked. The root node of the tree delete in your case is CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net ,which is a SAM object with user class. Therefore the tree deletion is performed without any error. I performed another test in which I tried to do a tree delete on an object with isCriticalSystemObject set to TRUE, but the object itself is not a SAM object, I received an error as expected. The object I tried to delete is cn=ForeignSecurityPricipals, DC=Contoso,DC=com I will file a request for this behavior to be documented in the constraint of tree deletion section (3.1.1.5.5.7.2 MS-ADTS). Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Friday, August 12, 2011 4:19 PM To: Hongwei Sun Cc: p...@tridgell.net; cifs-proto...@samba.org Subject: Re: Behavior explanation on subtree delete control behavior with iscriticalsystemobject On 12/08/2011 07:56, Hongwei Sun wrote: Hi, Matthieu, I have trouble to decrypt the LDAP packets in the trace. Have you used Wireshark to do that? Yes, With the keytab provided you do wireshark -K path_to_keytab trace.pcap, Wireshark must be configurated to decrypt krb5 blobs (see https://wiki.samba.org/index.php/Wireshark_Keytab). Did the packet 1848 define a delete operation on record #1 with LDAP_SERVER_TREE_DELETE_OID specified?Have you checked that both records are not in the AD any more after tree deletion ? Yes check the attached screenshot. And yes all the objects are removed. I've the feeling that the isCriticalObject rule apply only for the subobjects, that is to say if I CN=foo,CN=bar,DC=domain,DC=tld with isCriticalObject then if I try to use the subtree on CN=bar,DC=domain,DC=tld it should fail. But if the isCriticalObject is only on CN=bar,DC=domain,DC=tld then the use of the deltree is permited. Matthieu. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Tuesday, August 09, 2011 4:08 PM To: Interoperability Documentation Help; p...@tridgell.net; cifs-proto...@samba.org Subject: Behavior explanation on subtree delete control behavior with iscriticalsystemobject Hello, I found an interesting problem In MS-ADTS it is said: 3.1.1.5.5.7.2 Tree-delete Constraints All regular delete operation constraints apply on each object being deleted. The tree-delete operation may not be applied to an NC root. Objects with isCriticalSystemObject attribute equal to true may not be deleted by the tree-delete operation (this also applies to objects in the subtree being deleted). This constraint is checked object-by-object, and deletion stops if some deletion would violate this constraint. Because, as explained in the next section, deleted objects never have children, the result after deletion stops due to this constraint is a tree. The resultant tree may not be the same as the original tree because some objects may have been deleted prior to the failure. My understanding is that if you try to deleted an object that has the isCriticalSystemObject attribute set to TRUE or one of the object bellow in its tree then the operation should failed. Did I get the meaning right ? If so can you explain me how with this configuration: ./bin/ldbsearch -H ldap://172.16.100.27 -U administrator%totoTATA321 -b "CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net" isCriticalSystemObject # record 1 dn: CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net isCriticalSystemObject: TRUE # record 2 dn: CN=RID Set,CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net The delete with subtree control on the following trace at packet 1848 is working. Thanks. Matthieu. -- Matthieu Patou Samba Teamhttp://samba.org Private repo http://git.samba.org/?p=mat/samba.git;a=summary -- Matthieu Patou Samba Teamhttp://samba.org Private repo http://git.samba.org/?p=mat/samba.git;a=summary -- Matthieu Patou Samba Teamhttp://samba.org Private repo http:
Re: [cifs-protocol] [REG:111080976529107] RE: Behavior explanation on subtree delete control behavior with iscriticalsystemobject
Matthieu, Yes, you are right. Additionally, just as documented in 3.1.1.5.5.5 MS-ADTS, if the object being deleted is a SAM specific object , additional constraint will apply as per MS-SAMR 3.1.5.7. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Saturday, August 20, 2011 10:13 AM To: Hongwei Sun Cc: p...@tridgell.net; cifs-proto...@samba.org; MSSolve Case Email Subject: Re: [REG:111080976529107] RE: Behavior explanation on subtree delete control behavior with iscriticalsystemobject Hi Hongwei, I'm not sure I have 100% understood, please allow me to try to reformulate. So the basic rule for isCriticalSystemObject is correct when you use the subtree delete control, but if the object has one of its objectclass in the SAM specific object list (3.1.1.5.2.3) then isCriticalSystemObject is not checked am I right ? Or there is more constraint to check ? Matthieu. On 20/08/2011 00:52, Hongwei Sun wrote: > Matthieu, > > I finished the investigation on this behavior. As per MS-ADTS > 3.1.5.5.7.2 , when a tree deletion is performed , every object in the tree > will be checked to see if it has isCriticalSystemObject set to TRUE, > including the root node on which the delete operation is performed. But > there is an exception if the root object is a SAM specific > objects(3.1.1.5.2.3 MS-ADTS). Its deletion is done through SAM manger and > isCriticalSystemObject attribute is not checked.The root node of the tree > delete in your case is CN=ARES,OU=Domain > Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net ,which is a SAM object with > user class. Therefore the tree deletion is performed without any error. > >I performed another test in which I tried to do a tree delete on > an object with isCriticalSystemObject set to TRUE, but the object > itself is not a SAM object, I received an error as expected. The > object I tried to delete is cn=ForeignSecurityPricipals, > DC=Contoso,DC=com > >I will file a request for this behavior to be documented in the > constraint of tree deletion section (3.1.1.5.5.7.2 MS-ADTS). > > > Thanks! > > Hongwei > > > -Original Message- > From: Matthieu Patou [mailto:m...@samba.org] > Sent: Friday, August 12, 2011 4:19 PM > To: Hongwei Sun > Cc: p...@tridgell.net; cifs-proto...@samba.org > Subject: Re: Behavior explanation on subtree delete control behavior > with iscriticalsystemobject > > On 12/08/2011 07:56, Hongwei Sun wrote: >> Hi, Matthieu, >> >> I have trouble to decrypt the LDAP packets in the trace. Have you used >> Wireshark to do that? > Yes, > With the keytab provided you do > > wireshark -K path_to_keytab trace.pcap, > > Wireshark must be configurated to decrypt krb5 blobs (see > https://wiki.samba.org/index.php/Wireshark_Keytab). > >>Did the packet 1848 define a delete operation on record #1 with >> LDAP_SERVER_TREE_DELETE_OID specified?Have you checked that both records >> are not in the AD any more after tree deletion ? > Yes check the attached screenshot. > > And yes all the objects are removed. > > > I've the feeling that the isCriticalObject rule apply only for the > subobjects, that is to say if I CN=foo,CN=bar,DC=domain,DC=tld with > isCriticalObject then if I try to use the subtree on CN=bar,DC=domain,DC=tld > it should fail. But if the isCriticalObject is only on > CN=bar,DC=domain,DC=tld then the use of the deltree is permited. > > Matthieu. > >> Thanks! >> >> Hongwei >> >> >> -Original Message- >> From: Matthieu Patou [mailto:m...@samba.org] >> Sent: Tuesday, August 09, 2011 4:08 PM >> To: Interoperability Documentation Help; p...@tridgell.net; >> cifs-proto...@samba.org >> Subject: Behavior explanation on subtree delete control behavior with >> iscriticalsystemobject >> >> Hello, >> >> I found an interesting problem >> >> In MS-ADTS it is said: >> >> 3.1.1.5.5.7.2 Tree-delete Constraints >>All regular delete operation constraints apply on each object being >> deleted. >>The tree-delete operation may not be applied to an NC root. >>Objects with isCriticalSystemObject attribute equal to true may not be >> deleted by the tree-delete operation (this also applies to objects in the >> subtree being deleted). >> This constraint is checked >> object-by-object, and deletion stops if some deletion would violate this >> constraint. Because, as explained in the next section, deleted objects never >> have children, the result after deletion stops due to this constraint is a >> tree. The resultant tree may not be the same as the original tree because >> some objects may have been deleted prior to the failure. >> >> My understanding is that if you try to deleted an object that has the >> isCriticalSystemObject attribute set to TRUE or one of the object bellow in >> its tree then the operation should failed. >> >> Did I get the meaning right ? >> >> If so can you explain me how with this configuration: >> >> ./bin/
Re: [cifs-protocol] [REG:111080976529107] RE: Behavior explanation on subtree delete control behavior with iscriticalsystemobject
Hello Hongwei, Sorry for burrying out an old thread. On 22/08/2011 18:52, Hongwei Sun wrote: Matthieu, Yes, you are right. Additionally, just as documented in 3.1.1.5.5.5 MS-ADTS, if the object being deleted is a SAM specific object , additional constraint will apply as per MS-SAMR 3.1.5.7. In the ADTS it seems to be [MS-SAMR] section 3.1.1.6. And if I look at 3.1.1.6 it seems that there is no additional constraint for the delete (it's all about updates). Matthieu. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Saturday, August 20, 2011 10:13 AM To: Hongwei Sun Cc: p...@tridgell.net; cifs-proto...@samba.org; MSSolve Case Email Subject: Re: [REG:111080976529107] RE: Behavior explanation on subtree delete control behavior with iscriticalsystemobject Hi Hongwei, I'm not sure I have 100% understood, please allow me to try to reformulate. So the basic rule for isCriticalSystemObject is correct when you use the subtree delete control, but if the object has one of its objectclass in the SAM specific object list (3.1.1.5.2.3) then isCriticalSystemObject is not checked am I right ? Or there is more constraint to check ? Matthieu. On 20/08/2011 00:52, Hongwei Sun wrote: Matthieu, I finished the investigation on this behavior. As per MS-ADTS 3.1.5.5.7.2 , when a tree deletion is performed , every object in the tree will be checked to see if it has isCriticalSystemObject set to TRUE, including the root node on which the delete operation is performed. But there is an exception if the root object is a SAM specific objects(3.1.1.5.2.3 MS-ADTS). Its deletion is done through SAM manger and isCriticalSystemObject attribute is not checked.The root node of the tree delete in your case is CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net ,which is a SAM object with user class. Therefore the tree deletion is performed without any error. I performed another test in which I tried to do a tree delete on an object with isCriticalSystemObject set to TRUE, but the object itself is not a SAM object, I received an error as expected. The object I tried to delete is cn=ForeignSecurityPricipals, DC=Contoso,DC=com I will file a request for this behavior to be documented in the constraint of tree deletion section (3.1.1.5.5.7.2 MS-ADTS). Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Friday, August 12, 2011 4:19 PM To: Hongwei Sun Cc: p...@tridgell.net; cifs-proto...@samba.org Subject: Re: Behavior explanation on subtree delete control behavior with iscriticalsystemobject On 12/08/2011 07:56, Hongwei Sun wrote: Hi, Matthieu, I have trouble to decrypt the LDAP packets in the trace. Have you used Wireshark to do that? Yes, With the keytab provided you do wireshark -K path_to_keytab trace.pcap, Wireshark must be configurated to decrypt krb5 blobs (see https://wiki.samba.org/index.php/Wireshark_Keytab). Did the packet 1848 define a delete operation on record #1 with LDAP_SERVER_TREE_DELETE_OID specified?Have you checked that both records are not in the AD any more after tree deletion ? Yes check the attached screenshot. And yes all the objects are removed. I've the feeling that the isCriticalObject rule apply only for the subobjects, that is to say if I CN=foo,CN=bar,DC=domain,DC=tld with isCriticalObject then if I try to use the subtree on CN=bar,DC=domain,DC=tld it should fail. But if the isCriticalObject is only on CN=bar,DC=domain,DC=tld then the use of the deltree is permited. Matthieu. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Tuesday, August 09, 2011 4:08 PM To: Interoperability Documentation Help; p...@tridgell.net; cifs-proto...@samba.org Subject: Behavior explanation on subtree delete control behavior with iscriticalsystemobject Hello, I found an interesting problem In MS-ADTS it is said: 3.1.1.5.5.7.2 Tree-delete Constraints All regular delete operation constraints apply on each object being deleted. The tree-delete operation may not be applied to an NC root. Objects with isCriticalSystemObject attribute equal to true may not be deleted by the tree-delete operation (this also applies to objects in the subtree being deleted). This constraint is checked object-by-object, and deletion stops if some deletion would violate this constraint. Because, as explained in the next section, deleted objects never have children, the result after deletion stops due to this constraint is a tree. The resultant tree may not be the same as the original tree because some objects may have been deleted prior to the failure. My understanding is that if you try to deleted an object that has the isCriticalSystemObject attribute set to TRUE or one of the object bellow in its tree then the operation should failed. Did I get the meaning right ? If so ca
Re: [cifs-protocol] [REG:111080976529107] RE: Behavior explanation on subtree delete control behavior with iscriticalsystemobject
Hongwei, I also noticed that the paragraph 3.1.5.5.7.2 didn't mention this in the current version of MS-ADTS that I downloaded today. Will this information be added to the document ? Thanks. Matthieu. On 22/08/2011 18:52, Hongwei Sun wrote: Matthieu, Yes, you are right. Additionally, just as documented in 3.1.1.5.5.5 MS-ADTS, if the object being deleted is a SAM specific object , additional constraint will apply as per MS-SAMR 3.1.5.7. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Saturday, August 20, 2011 10:13 AM To: Hongwei Sun Cc: p...@tridgell.net; cifs-proto...@samba.org; MSSolve Case Email Subject: Re: [REG:111080976529107] RE: Behavior explanation on subtree delete control behavior with iscriticalsystemobject Hi Hongwei, I'm not sure I have 100% understood, please allow me to try to reformulate. So the basic rule for isCriticalSystemObject is correct when you use the subtree delete control, but if the object has one of its objectclass in the SAM specific object list (3.1.1.5.2.3) then isCriticalSystemObject is not checked am I right ? Or there is more constraint to check ? Matthieu. On 20/08/2011 00:52, Hongwei Sun wrote: Matthieu, I finished the investigation on this behavior. As per MS-ADTS 3.1.5.5.7.2 , when a tree deletion is performed , every object in the tree will be checked to see if it has isCriticalSystemObject set to TRUE, including the root node on which the delete operation is performed. But there is an exception if the root object is a SAM specific objects(3.1.1.5.2.3 MS-ADTS). Its deletion is done through SAM manger and isCriticalSystemObject attribute is not checked.The root node of the tree delete in your case is CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net ,which is a SAM object with user class. Therefore the tree deletion is performed without any error. I performed another test in which I tried to do a tree delete on an object with isCriticalSystemObject set to TRUE, but the object itself is not a SAM object, I received an error as expected. The object I tried to delete is cn=ForeignSecurityPricipals, DC=Contoso,DC=com I will file a request for this behavior to be documented in the constraint of tree deletion section (3.1.1.5.5.7.2 MS-ADTS). Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Friday, August 12, 2011 4:19 PM To: Hongwei Sun Cc: p...@tridgell.net; cifs-proto...@samba.org Subject: Re: Behavior explanation on subtree delete control behavior with iscriticalsystemobject On 12/08/2011 07:56, Hongwei Sun wrote: Hi, Matthieu, I have trouble to decrypt the LDAP packets in the trace. Have you used Wireshark to do that? Yes, With the keytab provided you do wireshark -K path_to_keytab trace.pcap, Wireshark must be configurated to decrypt krb5 blobs (see https://wiki.samba.org/index.php/Wireshark_Keytab). Did the packet 1848 define a delete operation on record #1 with LDAP_SERVER_TREE_DELETE_OID specified?Have you checked that both records are not in the AD any more after tree deletion ? Yes check the attached screenshot. And yes all the objects are removed. I've the feeling that the isCriticalObject rule apply only for the subobjects, that is to say if I CN=foo,CN=bar,DC=domain,DC=tld with isCriticalObject then if I try to use the subtree on CN=bar,DC=domain,DC=tld it should fail. But if the isCriticalObject is only on CN=bar,DC=domain,DC=tld then the use of the deltree is permited. Matthieu. Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Tuesday, August 09, 2011 4:08 PM To: Interoperability Documentation Help; p...@tridgell.net; cifs-proto...@samba.org Subject: Behavior explanation on subtree delete control behavior with iscriticalsystemobject Hello, I found an interesting problem In MS-ADTS it is said: 3.1.1.5.5.7.2 Tree-delete Constraints All regular delete operation constraints apply on each object being deleted. The tree-delete operation may not be applied to an NC root. Objects with isCriticalSystemObject attribute equal to true may not be deleted by the tree-delete operation (this also applies to objects in the subtree being deleted). This constraint is checked object-by-object, and deletion stops if some deletion would violate this constraint. Because, as explained in the next section, deleted objects never have children, the result after deletion stops due to this constraint is a tree. The resultant tree may not be the same as the original tree because some objects may have been deleted prior to the failure. My understanding is that if you try to deleted an object that has the isCriticalSystemObject attribute set to TRUE or one of the object bellow in its tree then the operation should failed. Did I get the meaning right ? If so can you explain me how with this co
Re: [cifs-protocol] [REG:111080976529107] RE: Behavior explanation on subtree delete control behavior with iscriticalsystemobject
Matthieu, The following change has been made to the section 3.1.5.5.7.2 of MS-ADTS. It will appear in the next public release of MS-ADTS on MSDN. Section 3.1.1.5.5.7.2 (Tree-delete Constraints) -- The second bullet, which has been changed as follows: Before: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Objects with isCriticalSystemObject attribute equal to true may not be deleted by the tree-delete operation (this also applies to objects in the subtree being deleted). This constraint is checked object-by-object, and deletion stops if some deletion would violate this constraint. Because, as explained in the next section, deleted objects never have children, the result after deletion stops due to this constraint is a tree. The resultant tree may not be the same as the original tree because some objects may have been deleted prior to the failure. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - After: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Objects with the isCriticalSystemObject attribute equal to true and which are not SAM-specific objects (as defined by section 3.1.1.5.2.3) cannot be deleted by the tree-delete operation. This constraint is checked object-by-object, and deletion stops at the first deletion attempt that violates the constraint. If deletion stops, the resultant tree might not be the same as the original tree because some objects might have been deleted prior to the failure. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Thanks! Hongwei -Original Message- From: Matthieu Patou [mailto:m...@samba.org] Sent: Tuesday, November 15, 2011 4:36 AM To: Hongwei Sun Cc: p...@tridgell.net; cifs-proto...@samba.org; MSSolve Case Email Subject: Re: [REG:111080976529107] RE: Behavior explanation on subtree delete control behavior with iscriticalsystemobject Hongwei, I also noticed that the paragraph 3.1.5.5.7.2 didn't mention this in the current version of MS-ADTS that I downloaded today. Will this information be added to the document ? Thanks. Matthieu. On 22/08/2011 18:52, Hongwei Sun wrote: > Matthieu, > > Yes, you are right. Additionally, just as documented in 3.1.1.5.5.5 > MS-ADTS, if the object being deleted is a SAM specific object , additional > constraint will apply as per MS-SAMR 3.1.5.7. > > Thanks! > > Hongwei > > -Original Message- > From: Matthieu Patou [mailto:m...@samba.org] > Sent: Saturday, August 20, 2011 10:13 AM > To: Hongwei Sun > Cc: p...@tridgell.net; cifs-proto...@samba.org; MSSolve Case Email > Subject: Re: [REG:111080976529107] RE: Behavior explanation on subtree > delete control behavior with iscriticalsystemobject > > Hi Hongwei, > > I'm not sure I have 100% understood, please allow me to try to reformulate. > > So the basic rule for isCriticalSystemObject is correct when you use the > subtree delete control, but if the object has one of its objectclass in the > SAM specific object list (3.1.1.5.2.3) then isCriticalSystemObject is not > checked am I right ? Or there is more constraint to check ? > > Matthieu. > > On 20/08/2011 00:52, Hongwei Sun wrote: >> Matthieu, >> >> I finished the investigation on this behavior. As per MS-ADTS >> 3.1.5.5.7.2 , when a tree deletion is performed , every object in the tree >> will be checked to see if it has isCriticalSystemObject set to TRUE, >> including the root node on which the delete operation is performed. But >> there is an exception if the root object is a SAM specific >> objects(3.1.1.5.2.3 MS-ADTS). Its deletion is done through SAM manger and >> isCriticalSystemObject attribute is not checked.The root node of the >> tree delete in your case is CN=ARES,OU=Domain >> Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net ,which is a SAM object with >> user class. Therefore the tree deletion is performed without any error. >> >> I performed another test in which I tried to do a tree delete on >> an object with isCriticalSystemObject set to TRUE, but the object >> itself is not a SAM object, I received an error as expected. The >> object I tried to delete is cn=ForeignSecurityPricipals, >> DC=Contoso,DC=com >> >> I will file a request for this behavior to be documented in the >> constraint of tree deletion section (3.1.1.5.5.7.2 MS-ADTS). >> >> >> Thanks! >> >> Hongwei >> >> >> -Original Message- >> From: Matthieu Patou [mailto:m...@samba.org] >> Sent: Friday, August 12, 2011 4:19 PM >> To: Hongwei Sun >> Cc: p...@tridgell.net; cifs-proto...@samba.org >> Subject: Re: Behavior explanation on subtree delete control behavior >> with iscriticalsystemobject >> >> On 12/08/2011 07:56, Hongwei Sun wrote: >>> Hi, Matt