Andrew,
Most of the issues mentioned in your mail have been fixed in the latest
released MS-ADSC or MS-ADA3. The following is a summary.
1. cn: Computer - Schema pulled from Windows 2008R2 shows two additional
attributes for systemMayContain msTSSecondaryDesktopBL, msTSPrimaryDesktopBL.
2.21 of MS-ADSC has been updated to include msTSSecondaryDesktopBL and
msTSPrimaryDesktopBL in systemMayContain.
2. cn: Domain-DNS - defaultSecurityDescriptor in does not match the schema
pulled from Windows 2008R2
2.42 of MS-ADSC (Class domainDNS) has been updated to include the correct
defaultSecurityDescriptor as follows.
defaultSecurityDescriptor: D:
(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)(A;;RP;;;WD)
(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)
(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)
(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)
(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)
(A;;RPRC;;;RU)
(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(A;;LCRPLORC;;;ED)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)
(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)
(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;
bf967aba-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;
bf967a9c-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;
bf967a86-0de6-11d0-a285-00aa003049e2;ED)
(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)
(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)
(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)
(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)
(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)
(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)
(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)
(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;CIIO;CRRPWP;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)
S:(AU;SA;WDWOWP;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)
(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
3. cn: inetOrgPerson - defaultSecurityDescriptor does not match the schema
pulled from Windows 2008R2
This was not reproducible and Richard indicated in the case that he
probably made a mistake doing analysis , so there is no action needed for this
item.
4. cn: Object-Class - searchFlags do not match the schema pulled from
Windows 2008R2
2.39 of MS-ADA3 has been updated to include the correct SearchFlags.
searchFlags: fATTINDEX | fPRESERVEONDELETE
5. cn: Sam-Domain - defaultSecurityDescriptor does not match the schema
pulled from Windows 2008R2
2.208 of MS-ADSC (Class samDomain) has been updated with the correct
defaultSecurityDescriptor as follows.
defaultSecurityDescriptor: D:
(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;RO)(A;;RP;;;WD)
(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)
(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)
(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)
(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)
(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)
(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)
(A;;RPRC;;;RU)(OA;CIIO;RPLCLORC;;
bf967aba-0de6-11d0-a285-00aa003049e2;RU)(A;;LCRPLORC;;;ED)
(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;
4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)
(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)
(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)
(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;
bf967aba-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;
bf967a9c-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;
bf967a86-0de6-11d0-a285-00aa003049e2;ED)
(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)
(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)
(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)
(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)
(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)
(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)
(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)
(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)
(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)
(OA;CIIO;CRRPWP;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)
S:(AU;SA;WDWOWP;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)
(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;
bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;
bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
6. cn: Schema - This attribute may be missing from the schema documentation.
It shows up in the Windows 2008R2 schema so it is being investigated.
The Schema object is not a schema attribute definition, but rather a
container which is the root of the schema naming context. Please refer to the
Schema NC description in section 7.1.1.1.3 of MS-ADTS. This issue is closed
with no action needed.
7. cn: Top - There appears to be a discrepancy with the generated Windows
2008R2 schema and the documented schema for systemMayContain attribute.
2.230 of MS-ADSC has been updated for systemMayContain attribute. The
changes include (1) We deleted msTSPrimaryDesktopBL and
msTSSecondaryDesktopsBL. (2) We corrected the name for isRecycled. The
systemMayContain is documented as follows:
systemMayContain: msDS-EnabledFeatureBL, msDS-LastKnownRDN,
msDS-HostServiceAccountBL,
msDS-OIDToGroupLinkBl, msDS-LocalEffectiveRecycleTime,
msDS-LocalEffectiveDeletionTime, isRecycled, msDS-NcType,
msDS-PSOApplied, msDS-PrincipalName,
msDS-RevealedListBL, msDS-AuthenticatedToAccountlist,
msDS-IsPartialReplicaFor, msDS-IsDomainFor, msDS-IsFullReplicaFor,
msDS-RevealedDSAs, msDS-KrbTgtLinkBl, url, wWWHomePage, whenCreated,
whenChanged, wellKnownObjects, wbemPath, uSNSource, uSNLastObjRem,
USNIntersite, uSNDSALastObjRemoved, uSNCreated, uSNChanged,
systemFlags, subSchemaSubEntry, subRefs, structuralObjectClass,
siteObjectBL, serverReferenceBL, sDRightsEffective, revision,
repsTo, repsFrom, directReports, replUpToDateVector,
replPropertyMetaData, name, queryPolicyBL, proxyAddresses,
proxiedObjectName, possibleInferiors, partialAttributeSet,
partialAttributeDeletionList, otherWellKnownObjects, objectVersion,
objectGUID, distinguishedName, nonSecurityMemberBL, netbootSCPBL,
ownerBL, msDS-ReplValueMetaData, msDS-ReplAttributeMetaData,
msDS-NonMembersBL, msDS-NCReplOutboundNeighbors,
msDS-NCReplInboundNeighbors, msDS-NCReplCursors,
msDS-TasksForAzRoleBL, msDS-TasksForAzTaskBL,
msDS-OperationsForAzRoleBL, msDS-OperationsForAzTaskBL,
msDS-MembersForAzRoleBL, msDs-masteredBy, mS-DS-ConsistencyGuid,
mS-DS-ConsistencyChildCount, msDS-Approx-Immed-Subordinates,
msCOM-PartitionSetLink, msCOM-UserLink, modifyTimeStamp, masteredBy,
managedObjects, lastKnownParent, isPrivilegeHolder, memberOf,
isDeleted, isCriticalSystemObject, showInAdvancedViewOnly,
fSMORoleOwner, fRSMemberReferenceBL, frsComputerReferenceBL,
fromEntry, flags, extensionName, dSASignature,
dSCorePropagationData, displayNamePrintable, displayName,
description, createTimeStamp, cn, canonicalName,
bridgeheadServerListBL, allowedChildClassesEffective,
allowedChildClasses, allowedAttributesEffective, allowedAttributes,
adminDisplayName, adminDescription, msDS-NC-RO-Replica-Locations-BL
The schema of Windows 2008 R2 we sent you in 04/24/2009 doesn't
incorporate the above changes. I will work on it. We do have tools/scripts to
create and validate the schema.
Thanks!
Hongwei
-----Original Message-----
From: Andrew Bartlett [mailto:[email protected]]
Sent: Thursday, January 07, 2010 10:11 PM
To: Interoperability Documentation Help
Cc: [email protected]; [email protected]; Andrew Tridgell
Subject: Re: [cifs-protocol] FW: FW: Inconsistencies in ad-schema docs and text
files SRX090109601490
On Fri, 2009-04-24 at 09:07 -0700, Richard Guthrie wrote:
> Andrew:
>
> Attached are schema files for Windows 2008 and Windows 2008R2/Windows 7. The
> Windows 2008 schema should not have any issues based upon initial validation
> against the Windows 2008 schema. The release notes for the Windows
> 2008R2/Windows 7 schema are as follows (All issues are under investigation at
> this time):
>
> 1. cn: Computer - Schema pulled from Windows 2008R2 shows two additional
> attributes for systemMayContain msTSSecondaryDesktopBL, msTSPrimaryDesktopBL.
> These are not present in the latest documentation for this attribute.
> 2. cn: Domain-DNS - defaultSecurityDescriptor in does not match the schema
> pulled from Windows 2008R2 3. cn: inetOrgPerson - defaultSecurityDescriptor
> does not match the schema pulled from Windows 2008R2 4. cn: Object-Class -
> searchFlags do not match the schema pulled from Windows 2008R2 5. cn:
> Sam-Domain - defaultSecurityDescriptor does not match the schema pulled from
> Windows 2008R2 6. cn: Schema - This attribute may be missing from the schema
> documentation. It shows up in the Windows 2008R2 schema so it is being
> investigated.
> 7. cn: Top - There appears to be a discrepancy with the generated Windows
> 2008R2 schema and the documented schema for systemMayContain attribute.
Dear Dochelp,
Did anyone ever solve these, and can I get a correct file for the final release
of Windows 2008 R2? Do you have a script to validate these?
We are finding far more errors than just the above (diff to follow shortly), as
it seems these files are still generated by hand (why?!?)
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
