------------------- BACKGROUND INFO BEGIN -------------------

Rather than become overwhelmed with the tidal wave of information we are getting back from DSGetNCChanges(), I decided to take it one bit at a time.
These notes reference the smbtorture output found here by line number.

What i'm hoping to do here is breakdown as many of the unknown attributes as I can.
I'm starting with the root of dc=smb,dc=test (my domain name). I'm going to try and line up unknown values in my output file with what ldp.exe tells us on the domain controller.
The dc is my pdc(2k3 enterprise edition), and it is running as a mixed-mode domain (freshly loaded snapshot 8).

The first object in the list starts at line 571.

I got these results by running 'bin/smbtorture -W smbtest -U administrator%sn4ppl3sux ncacn_ip_tcp:pdc.smb.test[seal,print] RPC-DSSYNC | less -N' of revision 9723 of my branch.

------- BACKGROUND INFO END -------
------- INTERESTING INFO BEGIN -------

• Line 588 represents the beginning of an DRSUAPI_ATTRIBUTE_objectClass object. objectClassId 0xA0043 on line 597 and objectClassId 0xA0042 on line 601 are returned as UNKNOWN_ENUM_VALUE.
  objectClassId 0x100000 on line 605 is returned as DRSUAPI_OBJECTCLASS_top. The attribute values returned by ldp.exe for objectClass are top; domain; domainDNS;. This indicates to me
  that objectClassId 0xA0043 and 0xA0042 are DRSUAPI_OBJECTCLASS_domain and DRSUAPI_OBJECTCLASS_domainDNS. But which is which? (spoiler: see entry for line 1831).

• Line 606 represents the beginning of the next attribute. Line 607 shows that attid value 0x20001 is UNKNOWN_ENUM_VALUE. Line 616 shows that it has one value, a 5 (0x00000005).
  ldp.exe shows that an attribute, instanceType has the value 0x5 = ( DS_INSTANCETYPE_IS_NC_HEAD|IT_WRITE );. Given that, i'm going to go with this object being instanceType, unless contiued
  exploration shows that to be not so simple. :)

• Line 617 - next object, attid : UNKNOWN_ENUM_VALUE (0x20002). Single valued, time : Mon Jul 18 21:41:50 2005 CST. The whenCreated attribute's value in my AD is
  7/18/2005 21:41:50 Canada Central Standard Time Canada Central Standard Time; so i'm going to assume that this (attid: 0x20002) is the 'whenCreated' attribute.

• Line 628 - is the start of the next object, attid : DRSUAPI_ATTRIBUTE_ntSecurityDescriptor (0x20119). It's really long, and i'm guessing that it's the auditingPolicy: ; that
  ldp can't tell me anything about.

• Line 1594 - attribute with UNKNOWN_ENUM_VALUE (0x90001). Single valued, Unicode string 'smb'. That lines it up with the AD name: attribute, which also has the value smb in my directory.
  So, attid: 0x90001 is the 'name' attribute, or the 'dc' attribute.

• Line 1605 - attribute with UNKNOWN_ENUM_VALUE (0x9001A). It's a DATA_BLOB (length=8). This could be the auditingPolicy that ldb says is a binary blob.

• Line 1616 - another UNKNOWN_ENUM_VALUE (0x90027). DATA_BLOB (length=8).

• Line 1627 - UNKNOWN_ENUM_VALUE (0x9003C). DATA_BLOB (length=8).

• Line 1638 - UNKNOWN_ENUM_VALUE (0x9003D). DATA_BLOB (length=8).

• Line 1649 - UNKNOWN_ENUM_VALUE (0x90049). DATA_BLOB (length=4).

• Line 1660 - UNKNOWN_ENUM_VALUE (0x9004A). DATA_BLOB (length=8).

• Line 1671 - UNKNOWN_ENUM_VALUE (0x9004E). DATA_BLOB (length=8).

• Line 1682 - UNKNOWN_ENUM_VALUE (0x9004F). DATA_BLOB (length=4).

• Line 1693 - UNKNOWN_ENUM_VALUE (0x90051). DATA_BLOB (length=8).

• Line 1704 - UNKNOWN_ENUM_VALUE (0x90058). DATA_BLOB (length=4).

• Line 1715 - UNKNOWN_ENUM_VALUE (0x9005D). DATA_BLOB (length=4).

• Line 1726 - UNKNOWN_ENUM_VALUE (0x9005F). DATA_BLOB (length=4).

• Line 1737 - DRSUAPI_ATTRIBUTE_objectSid (0x90092). Unsurprisingly, ldb also tells me that my objectSid: is S-1-5-21-96697697-2244252087-1111806455.

• Line 1748 - UNKNOWN_ENUM_VALUE (0x90097). num_values returns 0, values = NULL. The only attribute value ldp.exe tells me that is anything like that is
  creationTime: : cannot format time field;

• Line 1754 - UNKNOWN_ENUM_VALUE (0x9009B). DATA_BLOB (length=4).

• Line 1765 - UNKNOWN_ENUM_VALUE (0x9009E). num_values = 0, values = NULL.

• Line 1771 - UNKNOWN_ENUM_VALUE (0x900CA). DATA_BLOB (length=2).

• Line 1782 - UNKNOWN_ENUM_VALUE (0x90165). DATA_BLOB (length=4).

• Line 1793 - UNKNOWN_ENUM_VALUE (0x90170). DATA_BLOB (length=138).

• Line 1793 - UNKNOWN_ENUM_VALUE (0x90170). DATA_BLOB (length=138).

• Line 1804 - UNKNOWN_ENUM_VALUE (0x90171). single valued dn_string.
  1817 guid : d38ff38a-4c36-4394-a80b-eeb21661964d
  1818 sid : S-0-0
  1819 dn : 'CN=NTDS Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=smb,DC=test'
  This appears to match up with the fSMORoleOwner attribute in my AD.

• Line 1820 - DRSUAPI_ATTRIBUTE_systemFlags. value = 0x8c000000 (2348810240).

• Line 1831 - UNKNOWN_ENUM_VALUE (0x9026A). 11 element array of drsuapi_DsAttributeValueCtrDNString. dn for each element:
  'CN=Users,DC=smb,DC=test'
  'CN=Computers,DC=smb,DC=test'
  'OU=Domain Controllers,DC=smb,DC=test'
  'CN=System,DC=smb,DC=test'
  'CN=LostAndFound,DC=smb,DC=test'
  'CN=Infrastructure,DC=smb,DC=test'
  'CN=Deleted Objects,DC=smb,DC=test'
  'CN=ForeignSecurityPrincipals,DC=smb,DC=test'
  'CN=Program Data,DC=smb,DC=test'
  'CN=Microsoft,CN=Program Data,DC=smb,DC=test'
  'CN=NTDS Quotas,DC=smb,DC=test'
  This indicates to me that attribute id 0x9026A is attribute name wellKnownObjects.
  As an interesting side note, it looks like ldb.exe and smbtorture print the order of the elements in an array in opposite order from each other.
  If we hypothesize that the order an array is printed is a standard, we can determine the unknown objectClassId's (way, way back to line 588) as follows:
  Ldp.exe returned the values in the following order: top; domain; domainDNS;
  smbtorture returned the values in the following order: 0xA0043, 0xA0042, 0x10000 (DRSUAPI_OBJECTCLASS_top).
  If my hypothesis is correct, which is supported by the prior knowledge that 0x10000 is top, 0xA0042 is DRSUAPI_OBJECTCLASS_domain, and 0xA0043 is DRSUAPI_OBJECTCLASS_domainDNS.
  Score one for the scientific method!
  This doesn't confirm/prove anything, however. But I think it makes sense. We should be able to get more information to test the theory with from the next object we reach.

• Line 1937 - DRSUAPI_ATTRIBUTE_objectCategory (0x9030E). value = 'CN=Domain-DNS,CN=Schema,CN=Configuration,DC=smb,DC=test'

• Line 1953 - UNKNOWN_ENUM_VALUE (0x90364). DATA_BLOB (length=4).

• Line 1964 - UNKNOWN_ENUM_VALUE (0x9037B). Unicode string, value '[LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=smb,DC=test;0]'
  That matches the value for the gPLink attribute in my AD. So, attribute name gPLink should match attid 0x9037B.

• Line 1975 - UNKNOWN_ENUM_VALUE (0x90583). DATA_BLOB (length=4).

• Line 1986 - DRSUAPI_ATTRIBUTE_msDS_Behavior_Version (0x905B3). Value 0.

• Line 1997 - UNKNOWN_ENUM_VALUE (0x906FC). DATA_BLOB (length=4).

• Line 2008 - UNKNOWN_ENUM_VALUE (0x906FD). DATA_BLOB (length=4).

• Line 2019 - UNKNOWN_ENUM_VALUE (0x906FE). DATA_BLOB (length=4).

• Line 2032 - 2210 - meta data.

This is the end of the first object.

What did we match that we didn't know before?
DRSUAPI_OBJECTCLASS_domain (0xA0042)
DRSUAPI_OBJECTCLASS_domainDNS (0xA0043)
wellKnownObjects (0x9026A)
fSMORoleOwner (0x90171)
name or dc (0x90001)
whenCreated (0x20002)
instanceType (0x20001)
gPLink (0x9037B)

(I added all of these to source/librpc/idl/drsuapi.idl, except for 0x90001 - yet)

What was returned by ldb that we didn't match?
distinguishedName:
whenChanged:
subRefs:
uSNCreated:
repsFrom:
uSNChanged:
objectGUID:
replUpToDateVector:
creationTime:
forceLogoff:
lockoutDuration:
lockOutObservationWindow:
lockoutThreshold:
maxPwdAge:
minPwdAge:
minPwdLength:
modifiedCountAtLastProm:
nextRid:
pwdProperties:
pwdHistoryLength:
serverState:
uASCompat:
modifiedCount:
auditingPolicy:
nTMixedDomain:
rIDManagerReference:
isCriticalSystemObject:
masteredBy:
ms-DS-MachineAccountQuota:
msDS-PerUserTrustQuota:
msDS-AllUsersTrustQuota:
msDS-PerUserTrustTombstonesQuota:
msDs-masteredBy:
name: or dc:

There are more attributes for this object returned by ldp.exe that we aren't resolving, than there are UNKNOWN_ENUM_VALUE's returned by smbtorture.

• Line 2211 - Second object starts.

• Line 2220 - dn of this object is 'CN=LostAndFound,DC=smb,DC=test'.

That's enough for now though.

posted at: 19:01 | path: /samba4/dssync | permanent link to this entry