Monthly message from The Technical Committee

The Technical Committee was formed to help enforce the Microsoft anti-trust Final Judgment entered by the
US Courts in 2002 (see http://www.thetc.org).  The TC has been involved in reviewing and commenting on
much of the recently posted technical documentation and is interested in hearing about your experiences
using these documents for product development or enhancement, either by posting your feedback to this
mailing list, or by contacting the TC on a strictly confidential basis by sending e-mail to docfeedback <at> thetc.org

We will send this e-mail to the list once per month.

Re: Inconsistencies in ad-schema docs and text files

On Tue, 2009-01-06 at 00:01 +0530, Sreepathi Pai wrote:
> Hi,
> 
> I ran a diff against _normalized_ versions of the MS-AD* text files
> (that were updated to fix all issues reported so far) and text files
> generated from the documentation and found an additional number of
> issues. Some of them are text-extraction issues, but some seem to be
> the result of the text files containing old content. I attach the diff
> for perusal, each attribute has been prefixed with its cn. Both the
> ADA and ADSC files are compared (however the files were merged,
> sorry).

Richard:  On our phone call before the break I said that this was not a
blocking issue.  On reflection I was wrong - I thought that Sreepathi
had found just a couple of typos, and that we would get this all wrapped
up in short order, giving you time to sort out an optimal solution in
the long term.  

Given the scale of the errors in the supplied schema, and that even the
PDF version was clearly hand-constructed, I cannot trust it as a true
representation of the AD schema.  Both the text and PDF schema documents
as presented are unacceptable in their current forms, and we need to go
back to the start on this. 

It was hoped that in using these documents we would gain certainty -
using a clearly licenced, 'blessed' version/copy of the official AD
schema.  Instead, we have ended up in this quagmire. 

This issue is blocking us from making a Samba4 alpha release we have
scheduled for this week. 

Inconsistencies in ad-schema docs and text files

Hi,

I ran a diff against _normalized_ versions of the MS-AD* text files
(that were updated to fix all issues reported so far) and text files
generated from the documentation and found an additional number of
issues. Some of them are text-extraction issues, but some seem to be
the result of the text files containing old content. I attach the diff
for perusal, each attribute has been prefixed with its cn. Both the
ADA and ADSC files are compared (however the files were merged,
sorry).

1) FLAG_DOMAIN_DISALLOW_RENAME not present on a number of attributes
for systemFlags
2) defaultSecurityDescriptor is different from the docs
3) Differences in values for many attributes (e.g.
lastLogonTimestamp.searchFlags)
4) Content in docs not in text files (ms-net-ieee-8023-GroupPolicy)
5) GUIDs different in docs and text files (msDFS-Commentv2 and more)

and a number of other issues as well, mostly differences in attribute values.

[Note that whenCreated, homePhone have multiple systemFlags (dependent
on OS version), I've preserved both -- these are probably not errors.
The same with invocationId.searchFlags]

--

-- 
Sreepathi Pai

--- norm-ad-schema.txt	2009-01-05 23:37:50.000000000 +0530

RE: What are the 'Service' levels in SamLogonEx?

Hi Andrew:
I went through the document MS-APDS but there is no mention of NetlogonServiceInformation for which we
modified MS-NRPC. Do you have any specific section of MS-APDS in mind that you want modified as a result of
modifications made to MS-NRPC?

Regards,
Obaid Farooqi
Sr. SEE | Microsoft

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@...] 
Sent: Friday, December 19, 2008 7:26 PM
To: Obaid Farooqi
Cc: pfif@...; cifs-protocol@...
Subject: Re: What are the 'Service' levels in SamLogonEx?

On Fri, 2008-12-19 at 15:52 -0800, Obaid Farooqi wrote:
> Hi Andrew:
> 
> Per your inquiry, following are the changes that will appear in the 
> future version of [MS-NRPC]: Netlogon Remote Protocol Specification:

Thanks! This looks just what I was after.

As this passes the buck off to the receiving protocol, will the APDS document be updated?

Andrew Bartlett

--
Andrew Bartlett

RE: Help wanted - simple python or perl script for schema conversion

Andrew/Sreepathi,

I wanted to update you with several updates to the documentation based on your feedback.  The following
corrections have been made to MS-ADTS or MS-ADA2.  I have attached the updated documents for your review.  

SRX081215601601 - MS-ADA2
fRODCFILTEREDATTRIBUTE is written in MS-ADA2 section 2.466 instead of fRODCFilteredAttribute

SRX081219600331 - MS-ADA2
The schemaIdGuid for msFVE-KeyPackage is incorrectly formatted.

SRX081215601476 - MS-ADA2
There is a misspelling in MS-ADA2 section 2.421 fCONFIDENTAIL instead of fCONFIDENTIAL

SRX081215601460 - MS-ADA2
Invalid second attributeId for msFVE-VolumeGuid.

SRX081219601001 - MS-ADTS
Section 3.1.1.2.2.2 of MS-ADTS ("LDAP Representations"), the encoding of oMObjectClass for
Object(DN-String) should be:
0x2A 0x86 0x48 0x86 0xF7 0x14 0x01 0x01 0x01 0x0C  not 0x2A 0x86 0x48 0x86 0xF7 0x14 0x01 0x010 0x01 0x0C (extra 0)

SRX081215601563 - MS-ADTS
MS-ADA*.pdf uses fRODCFilteredAttribute, but MS-ADTS in section, 2.2.9 refers to it as fRODCAttribute

Thank you for your feedback.

Richard Guthrie
Support Escalation Engineer
Open Protocols Support Team

RE: What are the 'Service' levels in SamLogonEx?

On Tue, 2009-01-06 at 07:54 -0800, Obaid Farooqi wrote:
> Hi Andrew:
> I went through the document MS-APDS but there is no mention of NetlogonServiceInformation for which we
modified MS-NRPC. Do you have any specific section of MS-APDS in mind that you want modified as a result of
modifications made to MS-NRPC?

Isn't that the point?

In NRPC you passed the definition of this off to other protocols - you
said this is just a passthough to a receiving protocol, and it should
not be fully described here.  

So, I'm suggesting (and yes, this is by far the least important issue
I'm raising, but it is an issue non-the-less) that APDS (I presume this
is the receiving protocol) should also contain the final 'we don't
actually use this' description.

Andrew Bartlett

--

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

_______________________________________________
cifs-protocol mailing list
cifs-protocol@...
https://lists.samba.org/mailman/listinfo/cifs-protocol

RE: [Pfif] Clarify AEAD behaviour for GSSAPIwith AES

metze,

   I just want to check to see if you have any more feedback about the latest update of diagram and text.   If you
don't have any more questions, I will close the case regarding Gss_WrapEx with  AES128-CTS-HMAC-SHA1-96
in MS-KILE.

Thanks

----------------------------------------------------------
Hongwei  Sun - Sr. Support Escalation Engineer
DSC Protocol  Team, Microsoft
hongweis@...
Tel:  469-7757027 x 57027
-----------------------------------------------------------

-----Original Message-----
From: Hongwei Sun
Sent: Tuesday, December 30, 2008 10:26 AM
To: 'Stefan (metze) Metzmacher'
Cc: Andrew Bartlett; pfif@...; cifs-protocol@...
Subject: RE: [Pfif] [cifs-protocol] Clarify AEAD behaviour for GSSAPIwith AES

Stefan,

   We have updated the example for GSS_WrapEx with AES128-CTS-HMAC-SHA1-96 in MS-KILE as per your
suggestion.  I attached the updated section 4.3 of MS-KILE for your review.  Please also see the inline comment.

   We really appreciate your help for improving our Open Protocol Documentation.

>-----Original Message-----

Re: [Pfif] Clarify AEAD behaviour for GSSAPIwith AES

Hi Hongwei,

>    I just want to check to see if you have any more feedback about the latest update of diagram and text.   If you
don't have any more questions, I will close the case regarding Gss_WrapEx with  AES128-CTS-HMAC-SHA1-96
in MS-KILE.

The diagram and text look good, maybe add a notice that
- right rotation by (EC+RRC) count - doesn't match the rfc, which says
  right rotation just by RRC count

But please check with Larry if that behavior will stay for the non-dce-style
case in future versions, there were some discussions about making the
EC+RRC "feature" dce-style specific in future versions of windows.

metze

> ----------------------------------------------------------
> Hongwei  Sun - Sr. Support Escalation Engineer
> DSC Protocol  Team, Microsoft
> hongweis@...
> Tel:  469-7757027 x 57027
> -----------------------------------------------------------
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Hongwei Sun
> Sent: Tuesday, December 30, 2008 10:26 AM

RE: How to validate the PAC in NETLOGON SRX080918600905

Andrew,

You suggestion to improve the text in MS-APDS has been accepted and we have modified the documentation
accordingly.  I have attached the updated section for completeness.  Thank you for your feedback.

Richard Guthrie
Support Escalation Engineer 
Open Protocols Support Team
Tel: +1 (469) 775-7794
E-mail: rguthrie@...

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@...] 
Sent: Thursday, November 13, 2008 2:37 PM
To: Richard Guthrie
Cc: pfif@...; cifs-protocol@...
Subject: RE: How to validate the PAC in NETLOGON SRX080918600905

On Thu, 2008-11-13 at 06:23 -0800, Richard Guthrie wrote:
> Andrew,
> 
> We have revised the MS-PAC documentation to more accurately reflect 
> signature verification requirements in section 2.8 as well as made 
> several updates to clarify the relationship between MS-PAC and 
> MS-KILE.  I have attached those three documents for your review.  The 
> changes in each document are highlighted in yellow.
> 
> Please let us know if you have any further questions.

In MS-APDS 3.2.5.2 Processing a KERB_VERIFY_PAC_REQUEST Message You really need to say:

RE: How to validate the PAC in NETLOGON SRX080918600905

On Fri, 2009-01-09 at 08:35 -0800, Richard Guthrie wrote:
> Andrew,
> 
> You suggestion to improve the text in MS-APDS has been accepted

Thankyou!

--

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

_______________________________________________
cifs-protocol mailing list
cifs-protocol@...
https://lists.samba.org/mailman/listinfo/cifs-protocol