Hi Tim:
Can you please let me know the step you took to add this object and applied to 
krbtgt?

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to 
provide feedback on your case you may contact my manager at ramagane at 
Microsoft dot com

-----Original Message-----
From: Obaid Farooqi 
Sent: Friday, April 6, 2018 12:48 PM
To: 'Tim Beale' <timbe...@catalyst.net.nz>
Cc: cifs-protocol@lists.samba.org; MSSolve Case Email <casem...@microsoft.com>
Subject: RE: [REG:118040517948537] MS-ADTS: msDS-ResultantPSO and 
DOMAIN_USER_RID_KRBTGT discrepancy

Hi Tim:
I'll help you with this issue and will be in touch as soon as I have an answer.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to 
provide feedback on your case you may contact my manager at ramagane at 
Microsoft dot com

-----Original Message-----
From: Obaid Farooqi 
Sent: Friday, April 6, 2018 12:47 PM
To: "'Tim Beale'" <timbe...@catalyst.net.nz>
Cc: "cifs-protocol@lists.samba.org" <cifs-protocol@lists.samba.org>; "MSSolve 
Case Email" <casem...@microsoft.com>
Subject: [REG:118040517948537] MS-ADTS: msDS-ResultantPSO and 
DOMAIN_USER_RID_KRBTGT discrepancy

Hello Tim 

We have created a case; 118040517948537, to track your inquiry and an 
Escalation Engineer will contact you to assist further.

Best Regards,
Tarun Chopra | Sr. Escalation Engineer
Open Specifications Support Team
Work +1-425-705-5042
Email  tarun.cho...@microsoft.com
Monday-Friday 9:00a-6:00p Pacific Timezone 

-----Original Message-----
From: Tim Beale <timbe...@catalyst.net.nz>
Sent: Thursday, April 5, 2018 2:00 PM
To: Interoperability Documentation Help <doch...@microsoft.com>; 
cifs-protocol@lists.samba.org
Subject: MS-ADTS: msDS-ResultantPSO and DOMAIN_USER_RID_KRBTGT discrepancy 

Hi, 

I'm looking into the behaviour of msDS-ResultantPSO and found a discrepancy 
between the specification and the actual behaviour.

In MS-ADTS, section 3.1.1.4.5.36 msDS-ResultantPSO [1], it says the
following: 

  If the RID in U!objectSid is equal to DOMAIN_USER_RID_KRBTGT, then there is 
no value in this attribute. 

I tried adding a PSO object and applying it to the krbtgt user on a Windows 
2012R2 VM. Based on the spec, I would expect no msDS-ResultantPSO to be 
returned for the krbtgt user. However, I do see one returned, e.g.

# record 1
dn: 
CN=krbtgt,CN=Users,DC=WINDOWS2012R2,DC=WIN,DC=TIM,DC=WGTN,DC=CAT-IT,DC=
CO,DC=NZ
objectSid: S-1-5-21-886655096-618523297-2770022155-502
msDS-ResultantPSO: CN=dummy-PSO,CN=Password Settings 
Container,CN=System,DC=WINDOWS2012R2,DC=WIN,DC=TIM,DC=WGTN,DC=CAT-IT,DC=
CO,DC=NZ

You can see the RID in the objectSid is 502, which is DOMAIN_USER_RID_KRBTGT. 

Could you please clarify which is incorrect - the specification or the Windows 
behaviour? Or have I misunderstood something?

Thanks,
Tim 

[1]
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.mi
crosoft.com%2Fen-us%2Flibrary%2Fcc223866.aspx&data=02%7C01%7Cdochelp%40w
indows.microsoft.com%7Ce172420a92714a01130f08d59b383228%7C72f988bf86f141
af91ab2d7cd011db47%7C1%7C0%7C636585588018722990&sdata=KdE0SNnF0Xy3GBjnp8
UKzXt4GB9xQ2j0fFKuUZaD9JI%3D&reserved=0


_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

Reply via email to