Matthieu,
I finished the investigation on this behavior. As per MS-ADTS 3.1.5.5.7.2
, when a tree deletion is performed , every object in the tree will be checked
to see if it has isCriticalSystemObject set to TRUE, including the root node on
which the delete operation is performed. But there is an exception if the
root object is a SAM specific objects(3.1.1.5.2.3 MS-ADTS). Its deletion is
done through SAM manger and isCriticalSystemObject attribute is not checked.
The root node of the tree delete in your case is CN=ARES,OU=Domain
Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net ,which is a SAM object with
user class. Therefore the tree deletion is performed without any error.
I performed another test in which I tried to do a tree delete on an object
with isCriticalSystemObject set to TRUE, but the object itself is not a SAM
object, I received an error as expected. The object I tried to delete is
cn=ForeignSecurityPricipals, DC=Contoso,DC=com
I will file a request for this behavior to be documented in the constraint
of tree deletion section (3.1.1.5.5.7.2 MS-ADTS).
Thanks!
Hongwei
-----Original Message-----
From: Matthieu Patou [mailto:[email protected]]
Sent: Friday, August 12, 2011 4:19 PM
To: Hongwei Sun
Cc: [email protected]; [email protected]
Subject: Re: Behavior explanation on subtree delete control behavior with
iscriticalsystemobject
On 12/08/2011 07:56, Hongwei Sun wrote:
Hi, Matthieu,
I have trouble to decrypt the LDAP packets in the trace. Have you used
Wireshark to do that?
Yes,
With the keytab provided you do
wireshark -K path_to_keytab trace.pcap,
Wireshark must be configurated to decrypt krb5 blobs (see
https://wiki.samba.org/index.php/Wireshark_Keytab).
Did the packet 1848 define a delete operation on record #1 with
LDAP_SERVER_TREE_DELETE_OID specified? Have you checked that both records
are not in the AD any more after tree deletion ?
Yes check the attached screenshot.
And yes all the objects are removed.
I've the feeling that the isCriticalObject rule apply only for the subobjects,
that is to say if I CN=foo,CN=bar,DC=domain,DC=tld with isCriticalObject then
if I try to use the subtree on CN=bar,DC=domain,DC=tld it should fail. But if
the isCriticalObject is only on CN=bar,DC=domain,DC=tld then the use of the
deltree is permited.
Matthieu.
Thanks!
Hongwei
-----Original Message-----
From: Matthieu Patou [mailto:[email protected]]
Sent: Tuesday, August 09, 2011 4:08 PM
To: Interoperability Documentation Help; [email protected];
[email protected]
Subject: Behavior explanation on subtree delete control behavior with
iscriticalsystemobject
Hello,
I found an interesting problem
In MS-ADTS it is said:
3.1.1.5.5.7.2 Tree-delete Constraints
All regular delete operation constraints apply on each object being deleted.
The tree-delete operation may not be applied to an NC root.
Objects with isCriticalSystemObject attribute equal to true may not be
deleted by the tree-delete operation (this also applies to objects in the
subtree being deleted).
This constraint is checked
object-by-object, and deletion stops if some deletion would violate this
constraint. Because, as explained in the next section, deleted objects never
have children, the result after deletion stops due to this constraint is a
tree. The resultant tree may not be the same as the original tree because some
objects may have been deleted prior to the failure.
My understanding is that if you try to deleted an object that has the
isCriticalSystemObject attribute set to TRUE or one of the object bellow in its
tree then the operation should failed.
Did I get the meaning right ?
If so can you explain me how with this configuration:
./bin/ldbsearch -H ldap://172.16.100.27 -U administrator%totoTATA321 -b
"CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net"
isCriticalSystemObject
# record 1
dn: CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net
isCriticalSystemObject: TRUE
# record 2
dn: CN=RID Set,CN=ARES,OU=Domain
Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net
The delete with subtree control on the following trace at packet 1848 is
working.
Thanks.
Matthieu.
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
