Re: ADAM and AzMan (custom principals)
From: Niels Flensted-Jensen (NielsFlenstedJensen_at_discussions.microsoft.com)
Date: 05/18/05
- Next message: Jerome: "AceFlags under WinXp"
- Previous message: Valery Pryamikov: "Re: Hash of Public key"
- In reply to: Lee Flight: "Re: ADAM and AzMan (custom principals)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 18 May 2005 06:18:02 -0700
Hi Lee,
Thanks.
I've gotten as far as narrowing the problem down to ADAM not being able to
create foreignSecurityPrincipals with an authority other than 5, that is not
the "S-1-9-xxx" that I wanted for my custom SID.
Someone with Microsoft is checking whether this is solved in R2 (with
reference to some bug report), but I guess you already showed that.
I will change my code to produce S-1-5-* SIDs instead, even though it seems
a bit hacky (seems that authority 5 is for AD, NT4 domains and LSA?)
But thanks for figuring it out - even though my client is in no position to
upgrade to a beta of R2.
Niels
"Lee Flight" wrote:
> Hi
>
> thanks for posting your code which made this easy to test.
>
> I found the same as you: running with
>
> Microsoft.Interop.Security.AzRoles [1.2.0.0]
> ADAM [1.0.230.36]
>
> I get a stack trace with
>
> _message=(0x010823a0) "The parameter is incorrect."
>
> I think this must be an ADAM rather than AzMan problem as if
> I try running the code against the Windows server 2003 R2 beta 2
> release of ADAM the code works (partial ldif dump follows) :
>
> ==
> Writing out entries.
> dn:
> CN=TestGroup1,CN=AzGroupObjectContainer-mystore,CN=mystore,CN=AzStores,O=myorg,DC=Myroot
>
> changetype: add
> objectClass: top
> objectClass: group
> cn: TestGroup1
> member:
> CN=S-1-9-21-117609710-1644491937-725345543-1507640717,CN=ForeignSecurityPrincipals,O=myorg,DC=Myroot==that was runnig with the same version of the Interop library. So unlessthere'sa latter release of ADAM than [1.0.230.36] it looks like this is an issuefixed in R2. In my investigation neither the AzMan MMC nor ADAMADSIEdit had a facility for adding custom SIDs.HTHLee Flight"Niels Flensted-Jensen" <NielsFlenstedJensen@discussions.microsoft.com>wrote in message news:4205A1D4-6DC0-4DAE-8C56-9521C9E099BB@microsoft.com...> On a system with Windows 2003 I was unable to add> custom SIDs (e.g. "S-1-9-..." ) to an AzMan store in> ADAM. This works for for AzMan stores in AD or in plain> XML files. The informative message is "the parameter is> incorrect">> This KB article lists a hotfix for something of that type> http://support.microsoft.com/default.aspx?scid=kb;en-> us;883933. Only my SID does not refer to an ADAM> principal, but something in a completely different system.> And the
hotfix won't let it self be applied as I'm at> SP1. (But my Microsoft contact says it's not included in> the SP!!)>> As I said, it works with AD and XML stores as also> described here:> http://www.microsoft.com/technet/prodtechnol/windowsserver> 2003/technologies/management/athmanwp.mspx#EBAA>>> What to do?>> Thanks,>> Niels>> PS. Here's my code sample which fails:> (and I am referencing the newest version (1.2.0) of the> interop assembly)>> using System;> using System.Collections;> using System.Security.Principal;> using Microsoft.Interop.Security.AzRoles;>> namespace TestAzmanConsole> {> /// <summary>> /// Summary description for Class1.> /// </summary>> class AzManADAMtest> {> /// <summary>> /// The main entry point for the> application.> /// </summary>> [STAThread]> static void Main(string[] args)> {> string sid = "S-1-9-21-117609710-> 1644491937-725345543-1507640717";>> AzAuthorizationStoreClass store => null;> store = new> AzAuthorizationStoreClass();>> // won't work with an
ADAM store:> store.Initialize> (0, "msldap://localhost:50000/CN=Store,CN=AzManTest,DC=PKA> ,DC=DK", null);>> // it works with this AD store:> // store.Initialize> (0, "msldap://cn=AzManStore,CN=Program> Data,DC=CITEST,DC=cinetworks,DC=net", null);>>> IAzApplicationGroups azGroups => store.ApplicationGroups;> foreach (IAzApplicationGroup> azGroup in azGroups)> {> azGroup.AddMember(sid,> null);> azGroup.Submit(0, null);> }> }>>> }> }>
>
>
- Next message: Jerome: "AceFlags under WinXp"
- Previous message: Valery Pryamikov: "Re: Hash of Public key"
- In reply to: Lee Flight: "Re: ADAM and AzMan (custom principals)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
