Hello Bryan,
Matthieu,
I verified my hypothesis. In both cases (with and without
LDAP_DIRSYNC_OBJECT_SECURITY) the call is handled in lsass.exe at
ntdsai.dll!LDAP_CONN::SearchRequest(). For reference: my testing was using
Server 2008 R2 (RTM, not SP1).
If LDAP_DIRSYNC_OBJECT_SECURITY is absent, we call into code that checks that
the client has appropriate rights. That call fails with
ERROR_DS_DRA_ACCESS_DENIED 8453 (0x2105). That failure causes
LDAP_CONN::SearchRequest() to stop there and return insufficientAccessRights
(0x32/50d).
Deeper down, reason the access check fails with ERROR_DS_DRA_ACCESS_DENIED 8453 (0x2105)
is that a sub-check discovers that we are not at the root of the NC and returns 8440
(0x20f8) ERROR_DS_DRA_BAD_NC "The naming context specified for this replication
operation is invalid".
When LDAP_DIRSYNC_OBJECT_SECURITY is present, we don't do this extra security
"safety" check and skip all of the code mentioned above. We, then, fall into
the next check that ultimately returns unwillingToPerform when it discovers the base of
the search is not the root of the NC.
Ok, does this means that you'll update the documentation to indicate
this behavior (with a behavior note for instance ?).
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
