Ndaya, >Does Validated-SPN validated write allow an account to set an object's SPN to >the following values: >HOST/samAccountName (without the "$") >HOST/dnsDomainName >if the object is a regular computer object and NOT a DC?
ANS: Since they are two part SPNs, they should be allowed to be written to the ServicePrincipleName attribute based on Validated-SPN access right , as per MS-DRSR 5.5 (for DRS) and MS-ADTS 3.1.1.5.3.1.1.4 (for LDAP). If you look closely at the algorithm you referenced, it is the same as the AccessCheckWriteToSpnAttribute in DRSR. It means that the SPN is a correct two-part SPN , OR SPN is a correct three-part SPN and the object is a DC's domain controller object. It basically allows the three part SPN only on Domain Controllers. >In addition, I did the following test: >Gave Validated-SPN right to a user on a regular computer object, and got >CONSTRAINT_VIOLATION when setting its servicePrincipalName with the above >described values. >Gave Validated-SPN right to a user on a DC object, and these values were set >successfully. ANS: I did the similar testing to set the servicePrincipleName to the two part SPN on a non-DC computer object and I don't see any error. If I set a three part SPN on non-DC computer object , then I receive a CONSTRAINT_VIOLATION error. There is no error if I set either form of the SPN on a DC object. The result matches the logic in the documents. I used one account that doesn't have RIGHT_DS_WRITE_PROPERTY right, but has only RIGHT_DS_WRITE_PROPERTY_EXTENDED right with Object type set to ServicePrincipleName. I got the same result when I use an admin account that has all the rights. Could you share more information about your testing ? >Is the behavior of setting servicePrincipalName supposed to be different >between LDAP and DRS? ANS: Yes, it should the same , see the answer above. The DRSR replication routine will use the same logic as LDAP modify operation to modify the object attribute, so the object access control logic is the same. The AccessCheckAttr (5.2 MS-DRSR) just refers to the related sections in MS-ADTS. >Does servicePrincipalName modification depend on things other then the syntax >restrictions described in MS-DRSR and MS-ADTS? ANS: Besides the constraint as a validate write (3.1.1.5.3.1.1.4 MS-ADTS), it should also meet the constraint for being a modify operation as in 3.1.1.5.3.2 MS-ADTS. >If an object does not have Validated-SPN on Principal-Self, should the account >still be allowed to set the above values via DRS? ANS: Any SID substitution for Principal Self should be performed before any access checking behavior (5.1.3.3. MS-ADTS), thus the real user SID will not have Validated-SPN right if the Principal Self doesn't have it. It should not be allowed to set servicePrincipleName via either DRSR or LDAP since this is a mandatory requirement for the requester to have a Validated-SPN right. Please let me know if this makes sense and if you have more questions. Thanks! Hongwei From: [email protected] [mailto:[email protected]] On Behalf Of Nadezhda Ivanova Sent: Friday, December 17, 2010 5:08 AM To: Interoperability Documentation Help Cc: [email protected] Subject: [cifs-protocol] Questions about Validated-SPN validated write Hello, Does Validated-SPN validated write allow an account to set an object's SPN to the following values: HOST/samAccountName (without the "$") HOST/dnsDomainName if the object is a regular computer object and NOT a DC? The algorithm described in MS-DRSR 5.5 AccessCheckWriteToSpnAttribute seems to indicate that yes, this should be allowed. Ot the other hand, MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName leads me to believe that the object being a DC is mandatory constraint: "The SPN is a syntactically correct two-part SPN, or it is a syntactically correct three-part SPN (see Mutual Authentication (section 5.1.1.4)) and the object is a DC's domain controller object (see sections7.1.1.3.1 and 7.1.1.3.2). " In addition, I did the following test: Gave Validated-SPN right to a user on a regular computer object, and got CONSTRAINT_VIOLATION when setting its servicePrincipalName with the above described values. Gave Validated-SPN right to a user on a DC object, and these values were set successfully. So my questions are: Is the behaviour of setting servicePrincipalName supposed to be different between LDAP and DRS? Does servicePrincipalName modification depend on things other then the syntax restrictions described in MS-DRSR and MS-ADTS? If an object does not have Validated-SPN on Principal-Self, should the account still be allowed to set the above values via DRS? Best Regards, Nadezhda Ivanova
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
