Re: [cifs-protocol] Behavior explanation on subtree delete control behavior with iscriticalsystemobject

Thu, 11 Aug 2011 20:56:39 -0700 

Hi, Matthieu,

  I have trouble to decrypt the LDAP packets in the trace.  Have you used 
Wireshark to do that?  Did the packet 1848 define  a delete operation on record 
#1 with LDAP_SERVER_TREE_DELETE_OID specified?    Have you checked that both 
records are not in the AD any more after tree deletion ?

Thanks!

Hongwei
   

-----Original Message-----
From: Matthieu Patou [mailto:m...@samba.org] 
Sent: Tuesday, August 09, 2011 4:08 PM
To: Interoperability Documentation Help; p...@tridgell.net; 
cifs-proto...@samba.org
Subject: Behavior explanation on subtree delete control behavior with 
iscriticalsystemobject

Hello,

I found an interesting problem

In MS-ADTS it is said:

3.1.1.5.5.7.2 Tree-delete Constraints
 All regular delete operation constraints apply on each object being deleted.
 The tree-delete operation may not be applied to an NC root.
 Objects with isCriticalSystemObject attribute equal to true may not be deleted 
by the tree-delete operation (this also applies to objects in the subtree being 
deleted). 
This constraint is checked
object-by-object, and deletion stops if some deletion would violate this 
constraint. Because, as explained in the next section, deleted objects never 
have children, the result after deletion stops due to this constraint is a 
tree. The resultant tree may not be the same as the original tree because some 
objects may have been deleted prior to the failure.

My understanding is that if you try to deleted an object that has the 
isCriticalSystemObject attribute set to TRUE or one of the object bellow in its 
tree then the operation should failed.

Did I get the meaning right ?

If so can you explain me how with this configuration:

./bin/ldbsearch -H ldap://172.16.100.27 -U administrator%totoTATA321 -b 
"CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net" 
isCriticalSystemObject
# record 1
dn: CN=ARES,OU=Domain Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net
isCriticalSystemObject: TRUE

# record 2
dn: CN=RID Set,CN=ARES,OU=Domain
Controllers,DC=w2k8r2,DC=home,DC=matws,DC=net

The delete with subtree control on the following trace at packet 1848 is 
working.

Thanks.

Matthieu.

--
Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary


_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

Reply via email to