Yes. I sent subsequent mail with the change I recommended, copied below. Thank you for your patience.
Bryan Matthieu, To close this out, I filed a request with the owners of [MS-ADTS] recommending the following Windows Behavior Note: At the text in 3.1.1.3.4.1.3 LDAP_SERVER_DIRSYNC_OID "If the base of the search is not the root of an NC, the server will return the error insufficientAccessRights / <unrestricted>. " add <WBN> <WBN> Windows will return insufficientAccessRights if the base of the search is not the root of an NC and LDAP_DIRSYNC_OBJECT_SECURITY is not set. Bryan -----Original Message----- From: Matthieu Patou [mailto:[email protected]] Sent: Saturday, March 05, 2011 6:58 AM To: Bryan Burgin Cc: [email protected]; [email protected]; MSSolve Case Email Subject: Re: [REG:111020105939834] server behavior with dirsync control when the search base is not a root of a nc Hello Bryan, > Matthieu, > > I verified my hypothesis. In both cases (with and without > LDAP_DIRSYNC_OBJECT_SECURITY) the call is handled in lsass.exe at > ntdsai.dll!LDAP_CONN::SearchRequest(). For reference: my testing was using > Server 2008 R2 (RTM, not SP1). > > If LDAP_DIRSYNC_OBJECT_SECURITY is absent, we call into code that checks that > the client has appropriate rights. That call fails with > ERROR_DS_DRA_ACCESS_DENIED 8453 (0x2105). That failure causes > LDAP_CONN::SearchRequest() to stop there and return insufficientAccessRights > (0x32/50d). > > Deeper down, reason the access check fails with ERROR_DS_DRA_ACCESS_DENIED > 8453 (0x2105) is that a sub-check discovers that we are not at the root of > the NC and returns 8440 (0x20f8) ERROR_DS_DRA_BAD_NC "The naming context > specified for this replication operation is invalid". > > When LDAP_DIRSYNC_OBJECT_SECURITY is present, we don't do this extra security > "safety" check and skip all of the code mentioned above. We, then, fall into > the next check that ultimately returns unwillingToPerform when it discovers > the base of the search is not the root of the NC. Ok, does this means that you'll update the documentation to indicate this behavior (with a behavior note for instance ?). -- Matthieu Patou Samba Team http://samba.org Private repo http://git.samba.org/?p=mat/samba.git;a=summary _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
