Matthieu, I verified my hypothesis. In both cases (with and without LDAP_DIRSYNC_OBJECT_SECURITY) the call is handled in lsass.exe at ntdsai.dll!LDAP_CONN::SearchRequest(). For reference: my testing was using Server 2008 R2 (RTM, not SP1).
If LDAP_DIRSYNC_OBJECT_SECURITY is absent, we call into code that checks that the client has appropriate rights. That call fails with ERROR_DS_DRA_ACCESS_DENIED 8453 (0x2105). That failure causes LDAP_CONN::SearchRequest() to stop there and return insufficientAccessRights (0x32/50d). Deeper down, reason the access check fails with ERROR_DS_DRA_ACCESS_DENIED 8453 (0x2105) is that a sub-check discovers that we are not at the root of the NC and returns 8440 (0x20f8) ERROR_DS_DRA_BAD_NC "The naming context specified for this replication operation is invalid". When LDAP_DIRSYNC_OBJECT_SECURITY is present, we don't do this extra security "safety" check and skip all of the code mentioned above. We, then, fall into the next check that ultimately returns unwillingToPerform when it discovers the base of the search is not the root of the NC. Bryan -----Original Message----- From: Bryan Burgin Sent: Tuesday, March 01, 2011 2:58 PM To: '[email protected]'; [email protected]; [email protected] Cc: MSSolve Case Email Subject: [REG:111020105939834] server behavior with dirsync control when the search base is not a root of a nc Hi, Matthieu, Just a quick note that I'm closing in on this issue. From a review of the code that is servicing this request, I believe the issue is that there is a cascade of checks that we do and in the case where you do not provide LDAP_DIRSYNC_OBJECT_SECURITY, we fail a preliminary safety check with LDAP_INSUFFICIENT_RIGHTS (0x32/50d). If we pass that check, we then get to the code that is specific to 3.1.1.3.4.1.3LDAP_SERVER_DIRSYNC_OID text "If the base of the search is not the root of an NC, the server will return the error unwillingToPerform". I have a Windows-to-Windows environment set up and a test program that I am in the process of using to confirm this hypothesis. Bryan -----Original Message----- From: Matthieu Patou [mailto:[email protected]] Sent: Monday, January 31, 2011 1:43 PM To: Interoperability Documentation Help; [email protected]; [email protected] Subject: server behavior with dirsync control when the search base is not a root of a nc Dear doc team, I have some question related to the behavior of w2k8r2 vs what is described in the docuementation. MS-ADTS.pdf at paragraph "3.1.1.3.4.1.3LDAP_SERVER_DIRSYNC_OID" says: "If the base of the search is not the root of an NC, the server will return the error unwillingToPerform ([RFC2251] section 4.1.10). If the search scope is not subtree scope, the server will treat the search as if subtree scope was specified." If I do a search with ldbsearch with LDAP_DIRSYNC_OBJECT_SECURITY not set like this on the base "CN=Users,DC=w2k8r2,DC=home,dc=matws,dc=net": mat@ares:/usr/local/src/samba4/source4$ ./bin/ldbsearch --controls="dirsync:1:0:1000" -H ldap://172.16.100.25 -U administrator%totoTATA123 '(samaccountname=simple)' -b "CN=Users,DC=w2k8r2,DC=home,dc=matws,dc=net" I get search error - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002105: LdapErr: DSID-0C0908C0, comment: Error processing control, data 0, v1db0> <> I suppose I should have unwilling_to_perform If I set the LDAP_DIRSYNC_OBJECT_SECURITY flag with the same user and the same base: mat@ares:/usr/local/src/samba4/source4$ ./bin/ldbsearch --controls="dirsync:1:1:1000" -H ldap://172.16.100.25 -U administrator%totoTATA123 '(samaccountname=simple)' -b "CN=Users,DC=w2k8r2,DC=home,dc=matws,dc=net" Then I correctly get the "unwilling_to_perform" error. search error - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - <000020F7: LdapErr: DSID-0C0908F3, comment: Error processing control, data 0, v1db0> <> Can you explain if I missed something in the doc or if the doc is not accurate ? Regards Matthieu. -- Matthieu Patou Samba Team http://samba.org Private repo http://git.samba.org/?p=mat/samba.git;a=summary _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
