Matthias,
Following up on this documentation update, I attached the changes made to the
MS-ADTS and MS-DRSR.
BEFORE ---
3.1.1.3.2.41 tokenGroups
Returns the SIDs contained in the security context as which the client has
authenticated the LDAP connection. See section 5.1.3.
AFTER ---
3.1.1.3.2.41 tokenGroups
Returns the SIDs contained in the security context as which the client has
authenticated the LDAP connection. Refer to section 5.1.3 for details on LDAP
Authorization. Refer to section 3.1.1.4.5.19 for details on the algorithm used
to compute this attribute.
BEFORE ---
3.1.1.4.9.6 DomainOf
procedure DomainOf(o: DSName): DSName
This procedure returns the DSName of the domain NC to which the given DSName o
belongs. It returns null upon failure.
3.1.1.4.9.7 GetDSNameFromPrimaryGroupId
procedure GetDSNameFromPrimaryGroupId(rid: Rid): DSName
This procedure constructs a SID s consisting of the domain SID of the DC's
default domain and the given relative identifier (RID) rid, and returns the
DSName of the object o for which o!objectSid = s. If no such object o exists,
then this procedure will return null.
AFTER ---
3.1.1.4.9.6 DomainOf
procedure DomainOf(o: DSName): DSName
This procedure returns the DSName of the domain NC to which the given DSName o
belongs. It returns null upon failure.
<content added>
3.1.1.4.9.7 GetDSNameOfEnterpriseRODCsGroup
procedure GetDSNameOfEnterpriseReadonlyDomainControllerGroup(): DSName
This procedure constructs a SID s consisting of the domain SID of the root
domain and the relative identifier (RID) of the Enterprise Read-only Domain
Controllers Group (as defined in section 7.1.1.6.14), and returns the DSName of
the object o for which o! objectSid = s. If no such object o exists, this
procedure returns null.
3.1.1.4.9.8 GetDSNameFromPrimaryGroupId
procedure GetDSNameFromPrimaryGroupId(rid: Rid): DSName
This procedure constructs a SID s consisting of the domain SID of the DC's
default domain and the given relative identifier (RID) rid, and returns the
DSName of the object o for which o!objectSid = s. If no such object o exists,
then this procedure will return null.
BEFORE ---
3.1.1.4.9.10 GetMemberships Method
. . .
In the following pseudocode, the SID type is specified in [MS-DRDM] section
5.126, the IsGC procedure is specified in [MS-DRDM] section 5.67, and the
DefaultNC procedure is specified in [MS-DRDM] section 5.20.
. . .
/* Get the initial result set from the graph. */
wSet := {}
for i := 0 to msgIn.ppDsNames.cDsNames - 1
u := msgIn.ppDsNames[i]
if u in vSet then
/* Get the subgraph by applying the predicate IsMatchedGroup
* on each element in the vertex set, plus u itself. */
uSet := {u} + select all v from vSet where
IsMatchedGroup(v, op, msgIn.pLimitingDomain^)
if transitive then
wSet := wSet + (Closure(uSet, aSet, u) - {u})
else
wSet := wSet + (Neighbors(uSet, aSet, u) - {u})
endif
endif
endfor
. . .
AFTER ---
3.1.1.4.9.11 GetMemberships Method
. . .
In the following pseudocode, the ADS_UF_WORKSTATION_TRUST_ACCOUNT and
ADS_UF_PARTIAL_SECRETS_ACCOUNT flags are specified in section 2.2.15, the
userAccountControl attribute is specified in [MS-ADA3] section 2.341, the SID
type is specified in [MS-DRDM] section 5.126, the IsGC procedure is specified
in [MS-DRDM] section 5.67, and the DefaultNC procedure is specified in
[MS-DRDM] section 5.20.
. . .
/* Get the initial result set from the graph. */
wSet := {}
for i := 0 to msgIn.ppDsNames.cDsNames - 1
u := msgIn.ppDsNames[i]
if u in vSet then
/* Get the subgraph by applying the predicate IsMatchedGroup
* on each element in the vertex set, plus u itself. */
uSet := {u} + select all v from vSet where
IsMatchedGroup(v, op, msgIn.pLimitingDomain^)
if transitive then
wSet := wSet + (Closure(uSet, aSet, u) - {u})
else
wSet := wSet + (Neighbors(uSet, aSet, u) - {u})
endif
if((u!userAccountControl & ADS_UF_WORKSTATION_TRUST_ACCOUNT =
ADS_UF_WORKSTATION_TRUST_ACCOUNT) or
(u!userAccountControl & ADS_UF_PARTIAL_SECRETS_ACCOUNT =
ADS_UF_PARTIAL_SECRETS_ACCOUNT))
wSet := wSet + GetDSNameOfEnterpriseRODCsGroup()
endif
endif
endfor
. . .
Thanks!
Hongwei
-----Original Message-----
From: Matthias Dieter Wallnöfer [mailto:[email protected]]
Sent: Wednesday, September 22, 2010 7:42 AM
To: Hongwei Sun
Cc: [email protected]; MSSolve Case Email
Subject: Re: [REG:110091558099846] RE: Incompleteness in MS-SAMR section
3.1.1.8.1 objectClass
Okay!
Greets,
Matthias Wallnöfer
Hongwei Sun wrote:
> Matthias,
>
> Thanks for raising this issue with us. First, We will add the missing
> definitions for UF_PARTIAL_SECRETS_ACCOUNT (0x4000000) to 2.2.1.13 MS-SAMR,
> USER_PARTIAL_SECRETS_ACCOUNT (0x00100000) to 2.2.1.12 MS-SAMR and
> DOMAIN_GROUP_RID_READONLY_DCS(0x00000209) to 2.2.1.14 MS-SAMR. In 3.1.1.8.1
> MS-SAMR, we will add the following entry to the table in item 4 showing that
> if userAccountContol has bits UF_WORKSTATION_TRUST_ACCOUNT&
> UF_PARTIAL_SECRETS_ACCOUNT , the primaryGroupId attribute MUST be updated
> with DOMAIN_GROUP_RID_READONLY_CONTROLLERS.
>
> We are in the process to update the document. The changes will appear in
> the future release of the document. Please let us know if you have any
> further question. If not, I will consider this issue resolved.
>
> Thanks!
>
> Hongwei
>
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
