P.S. In the links you sent me, http://msdn.microsoft.com/en-us/library/cc223323(PROT.13).aspx add is mentioned as well: "It is also used with LDAP Add and Modify requests to control the portion of a Windows security descriptor to modify. The DC modifies only the specified portion of the security descriptor."
Perhaps my test is wrong? I create an OU, providing a descriptor that has OwnerSid, GroupSid, Sacl and Dacl, and the OWNER_SECURITY_INFORMATION flag raised in the control. I read back the descriptor of the OU. I expect that the ACEs provided in the Sacl and Dacl will not be part of the OUs descriptor, and the GroupSid will be the default. However, all 4 fields contain the data provided with the add request. The same test worked great for the modify request. I hope this info helps. Regards, Nadya ----- Original Message ----- > From: [email protected] <[email protected]> > To: [email protected] <[email protected]>, Nadezhda Ivanova > <[email protected]> > Cc: [email protected] <[email protected]> > Sent: Thursday, November 19, 2009 11:30:59 PM GMT+0200 Europe;Athens > Subject: Re: [cifs-protocol] Need some help with LDAP_SERVER_SD_FLAGS_OID > control (SRX091119600169) > > Hi Bill, > It's definitely not just used for searches. Some management tools such > as Active Directory Users and Computers send this control along with a > modify request - we have a bug about this in bugzilla: > https://bugzilla.samba.org/show_bug.cgi?id=6401 > I have proven with tests that in modify requests the control is taken > into account, and only the specified parts of the descriptor are > modified. I have already implemented it for the modify request. > However, I cannot implement it for the add request until I know if > there is actually anything to be done for add, and if there is, how it > should work. My tests have shown no effect for add requests, but since > it is mentioned in the MS-ADTS, I thought maybe I am missing > something. So, this only blocks my progress if there is something to > be done for the add request, otherwise, it does not. It is not very > urgent, though, it can wait a bit if you have other priorities. > > Regards, > Nadya > ----- Original Message ----- > > From: Bill Wesse <[email protected]> > > To: Nadezhda Ivanova <[email protected]> > > Cc: [email protected] <[email protected]> > > Sent: Thursday, November 19, 2009 10:23:06 PM GMT+0200 Europe;Athens > > Subject: RE: Need some help with LDAP_SERVER_SD_FLAGS_OID control > (SRX091119600169) > > > > Nadya - I don't think the LDAP_SERVER_SD_FLAGS_OID control should > have > > any effect during an add operation, since the flags for the control > > indicate which security descriptor parts to retrieve during a search, > > > which should explain why LDAP_UNAVAILABLE_CRIT_EXTENSION is not > being > > returned (assuming the add succeeded). > > > > I have filed a TDI to obtain authoritative information concerning > this, > > and will update you with results as they develop. > > > > Could you advise me concerning how much this impacts progress on > your > > implementation? > > > > References: > > > > [MS-ADTS] 3.1.1.3.4.1.11 LDAP_SERVER_SD_FLAGS_OID > > http://msdn.microsoft.com/en-us/library/cc223323(PROT.13).aspx > > > > The LDAP_SERVER_SD_FLAGS_OID control is used with an LDAP Search > > request to control the portion of a Windows Security Descriptor to > > retrieve. > > > > LDAP_SERVER_SD_FLAGS_OID Control Code > > http://msdn.microsoft.com/en-us/library/aa366987(VS.85).aspx > > > > The security information flags indicate which security descriptor > > parts to retrieve during a search. > > > > Regards, > > Bill Wesse > > MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM > > 8055 Microsoft Way > > Charlotte, NC 28273 > > TEL: +1(980) 776-8200 > > CELL: +1(704) 661-5438 > > FAX: +1(704) 665-9606 > > > > > > -----Original Message----- > > From: Bill Wesse > > Sent: Thursday, November 19, 2009 2:07 PM > > To: 'Nadezhda Ivanova' > > Cc: [email protected] > > Subject: RE: Need some help with LDAP_SERVER_SD_FLAGS_OID control > > (SRX091119600169) > > > > Hi Nadya - I will be your contact for this one. Here is the case > > number: > > > > SRX091119600169: [MS-ADTS] 7.1.3.2 LDAP_SERVER_SD_FLAGS_OID > > > > I will begin my investigation today! > > > > Regards, > > Bill Wesse > > MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM > > 8055 Microsoft Way > > Charlotte, NC 28273 > > TEL: +1(980) 776-8200 > > CELL: +1(704) 661-5438 > > FAX: +1(704) 665-9606 > > > > > > -----Original Message----- > > From: Nadezhda Ivanova [mailto:[email protected]] > > Sent: Thursday, November 19, 2009 12:34 PM > > To: Interoperability Documentation Help > > Cc: [email protected] > > Subject: Need some help with LDAP_SERVER_SD_FLAGS_OID control > > > > Hello, > > I have been working on the implementation of > LDAP_SERVER_SD_FLAGS_OID > > in Samba, and I have a question. Is this control relevant for an > LDAP > > add request? I have been testing against Win2008. Adding this > control > > to the request does not seem to have any effect. When I set it to > > Critical, I do not get LDAP_UNAVAILABLE_CRIT_EXTENSION, as > described > > in http://msdn.microsoft.com/en-us/library/aa367025%28VS.85%29.aspx > > At the same tine, in MS-ADTS, section 7.1.3.2 SD Flags Control, it > > says: > > "When performing an LDAP operation (add, modify or search), the > client > > may supply an SD flags > > control LDAP_SERVER_SD_FLAGS_OID with the operation." > > > > So, if the control is valid for an LDAP add, what should be the > > behavior? > > > > Best Regards, > > Nadezhda Ivanova > _______________________________________________ > cifs-protocol mailing list > [email protected] > https://lists.samba.org/mailman/listinfo/cifs-protocol _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
