'[cifs-protocol] RE: 601628 RE: Mapping of MS-LSAD onto LDAP and DRS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cifs-protocol
Subject:    [cifs-protocol] RE: 601628 RE: Mapping of MS-LSAD onto LDAP and DRS
From:       Richard Guthrie <rguthrie () microsoft ! com>
Date:       2008-08-28 13:44:06
Message-ID: 23CD61EC34D8B74CB0DB149FE7EAD72727CC69242F () NA-EXMSG-C120 ! redmond ! corp ! microsoft ! com
[Download RAW message or body]

Andrew,

Thanks for the follow up questions.  The use of secrets to store domain trust \
passwords was used prior to Windows 2000.  In Windows 2000 and beyond Trust \
Information such as Trust Passwords is stored in Active Directory on the TDO.  There \
is no mention of TrustAuthIncoming or TrustAuthOutgoing in the \
TrustedInformationPassword text in section 3.1.4.7.3 MS-LSAD because use of that flag \
for InformationClass performs work on secrets and not the TDO.

The user object under CN=Users is not influenced by calls to LsarSetTrustedDomainInfo \
when InformationClass==TrustedPasswordInformation. When InformationClass == \
TrustedDomainInformationEx and TrustDirection is set to Inbound, the value on the \
trustAuthIncoming attribute of the trust object is set on the user object's password \
attributes.

Let us know if you have additional questions

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: rguthrie@microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@samba.org]
Sent: Tuesday, August 26, 2008 5:25 PM
To: Richard Guthrie
Cc: pfif@tridgell.net; cifs-protocol@samba.org
Subject: RE: 601628 RE: Mapping of MS-LSAD onto LDAP and DRS replications

On Tue, 2008-08-26 at 11:11 -0700, Richard Guthrie wrote:
> Andrew,
> 
> The link between G$$<trusted domain secrets> and trustAuthIncoming is
> that G$$<trusted domain secrets> is where the password for the trust
> was stored prior to active directory (I.E. NT4 for example).  If the
> trust is a trust between Active Directory enabled domains, the TDO
> object is where the trust passwords are stored.  I was mistaken when I
> spoke previously, stating that if you use the method
> LsarSetTrustedDomainInfo with
> InformationClass==TrustedPasswordInformation you would be able to
> modify trustAuthIncoming/ trustAuthOutgoing values.  You can only
> modify secret objects when you have
> InformationClass==TrustedPasswordInformation.  If you want to
> manipulate trustAuthIncoming/trustAuthOutgoing, you would need to set
> InformationClass = TrustedDomainInformationEx.  One point to note is
> that this method requires all the fields on the TDO passed in the
> TrustedDOmainInformation object be set properly.  The preferred means
> of modifying trustAuthIncoming/trustAuthOutgoing attributes on the TDO
> is through the use of LsarSetInformationTrustedDomain.
> 
> We have also made a modification to the MS-LSAD document for section
> 3.1.4.7.3 to make the portion about TrustedPasswordInformation more
> clear that it refers to manipulation of a secret object.  Here is the
> revised text below with the reference to section 3.1.1.4:
> 
> TrustedPasswordInformation: The server MUST verify that a trusted
> domain object with this SID exists in its policy database. If the
> object does not exist, the call MUST fail with STATUS_NO_SUCH_DOMAIN.
> Otherwise, the server MUST open the secret object, as defined in
> section 3.1.1.4, (or create a secret object, if one does not already
> exist) with "Name" set to "G$$<Trusted Domain Name>". The server MUST
> then set "Old Value" of the secret object to the "OldPassword" value
> in TrustedDomainInformation and set "New Value" of the secret object
> to the "Password" value in TrustedDomainInformation, similar to the
> processing when an LsarSetSecret request has been made.
> Please let us know if you have any additional questions regarding this
> issue.

So, the secrets are another parallel to the trustAuthIncoming and trustAuthOutgoing?  \
The modified text does not reference trustAuthIncoming or trustAuthOutgoing, so I'm \
confused.

Also, how do the cn=users object is influenced by these calls?

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

[prev in list] [next in list] [prev in thread] [next in thread] 