[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: [cifs-protocol] Response: SRX080909600334: [MS-APDS] Backing store
From: Bill Wesse <billwe () microsoft ! com>
Date: 2008-09-25 9:14:43
Message-ID: 418D0227BD8E13478CBDB45B3480414857B2789899 () NA-EXMSG-C114 ! redmond ! corp ! microsoft ! com
[Download RAW message or body]
Good morning Andrew. I have completed my preliminary investigation concerning your \
questions about password policy, validation and concrete backing store for user and \
trust account attributes.
The information is presented in detail in the attached document \
(PasswordPolicyAndValidation.pdf, summary below).
What would you like the document to read as?
I have listed several suppositions where I think references may be helpful.
The following document sections should have cross references to:
[MS-SAMR] 5.2 Index of Security Parameters
a. [MS-ADTS] 3.1.1.3.1.5 Password Modify Operations
b. [MS-APDS] 3.1.5.1 NTLM Interactive Logon
c. [MS-NRPC] 3.1.1 Abstract Data Model (SharedSecret:)
Summary:
1. The document contains a detailed table of the member derivations for the
NETLOGON_VALIDATION_SAM_INFO4 structure shown in [MS-NRPC] 2.2.1.4.13.
2. The document also contains a table that combines information concerning
password policy checks, derived from the list below. The table includes
additional document cross references ([MS-SAMR], [MS-KILE], etc.).
[MS-SAMR]
2.2.1.13 UF_FLAG Codes
3.1.1.8.10 userAccountControl
3.1.5.14.2 userAccountControl Mapping Table
3. The document also provides references to information concerning password
validation attributes, as discussed in various sections in [MS-ADTS],
[MS-NRPC] and [MS-SAMR]. The best description of vailidation with respect
to the dbcsPwd and unicodePwd are in the following references:
[MS-SAMR]
3.1.5.10.1 SamrChangePasswordUser (Opnum 38)
3.1.5.13.8 SamrValidatePassword
==============================================================================
Request:
I have previously asked for information to be added to MS-NRPC to detail the
currently abstract backing store for user and trust accounts.
However, it happens that the normal SamLogon processing is mostly described
in [MS-APDS].
What I'm looking for is a specific description of what attributes (unicodePwd,
dbcsPwd) are used for validating the password, what attributes (pwdLastSet,
userAccountControl etc) are used (and how they are used) to check policy and
then what attributes are used to construct the NETLOGON_VALIDATION_SAM_INFO4.
I need this because I must construct the same reply as a Microsoft DC that I
might share a domain using DRS replication with.
The current text in [MS-APDS] 3.1.5.1 is:
The domain controller MUST compare the local copy of the password to the
one sent in the request.
If there is a successful match, the domain controller MUST return data
with ValidationInformation containing either a reference to
NETLOGON_VALIDATION_SAM_INFO4 ([MS-NRPC] section 3.5.4.4.1), if the
ValidationLevel in the request is NetlogonValidationSamInfo4 or a
reference to NETLOGON_VALIDATION_SAM_INFO2 ([MS-NRPC] section 3.5.4.4.1),
if the ValidationLevel in the request is NetlogonValidationSamInfo2).
If there is not a match, the DC MUST return the failure error code
STATUS_WRONG_PASSWORD (section 2.2) with no response data.<15>
Regards,
Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL: +1(980) 776-8200
CELL: +1(704) 661-5438
FAX: +1(704) 665-9606
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:x="urn:schemas-microsoft-com:office:excel" \
xmlns:p="urn:schemas-microsoft-com:office:powerpoint" \
xmlns:a="urn:schemas-microsoft-com:office:access" \
xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" \
xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" \
xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" \
xmlns:b="urn:schemas-microsoft-com:office:publisher" \
xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" \
xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" \
xmlns:odc="urn:schemas-microsoft-com:office:odc" \
xmlns:oa="urn:schemas-microsoft-com:office:activation" \
xmlns:html="http://www.w3.org/TR/REC-html40" \
xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" \
xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" \
xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" \
xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" \
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" \
xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" \
xmlns:udc="http://schemas.microsoft.com/data/udc" \
xmlns:xsd="http://www.w3.org/2001/XMLSchema" \
xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" \
xmlns:ec="http://www.w3.org/2001/04/xmlenc#" \
xmlns:sp="http://schemas.microsoft.com/sharepoint/" \
xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" \
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" \
xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" \
xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" \
xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" \
xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" \
xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" \
xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='color:#1F497D'>Good morning Andrew. I have
completed my preliminary investigation concerning your questions about password
policy, validation and concrete backing store for user and trust account
attributes.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>The information is presented in
detail in the attached document (PasswordPolicyAndValidation.pdf, summary
below).<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>What would you like the document
to read as?<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>I have listed several
suppositions where I think references may be helpful.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>The following document sections
should have cross references to:<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> [MS-SAMR] 5.2 Index \
of Security Parameters<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> a. [MS-ADTS] 3.1.1.3.1.5
Password Modify Operations<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> b. [MS-APDS] 3.1.5.1 NTLM
Interactive Logon<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> c. [MS-NRPC] 3.1.1 \
Abstract Data Model (SharedSecret:)<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Summary:<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>1. The document contains a
detailed table of the member derivations for the<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> \
NETLOGON_VALIDATION_SAM_INFO4 structure shown in [MS-NRPC] \
2.2.1.4.13.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>2. The document also contains a
table that combines information concerning<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> password policy checks,
derived from the list below. The table includes<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> additional document cross
references ([MS-SAMR], [MS-KILE], etc.).<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> \
[MS-SAMR]<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> \
2.2.1.13 UF_FLAG Codes<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> \
3.1.1.8.10 userAccountControl<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> \
3.1.5.14.2 userAccountControl Mapping Table <o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>3. The document also provides
references to information concerning password<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> validation attributes, as
discussed in various sections in [MS-ADTS],<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> [MS-NRPC] and [MS-SAMR]. \
The best description of vailidation with respect<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> to the dbcsPwd and \
unicodePwd are in the following references:<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> \
[MS-SAMR]<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> \
3.1.5.10.1 SamrChangePasswordUser (Opnum 38)<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> \
3.1.5.13.8 SamrValidatePassword <o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span \
style='color:#1F497D'>==============================================================================<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Request:<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>I have previously asked for
information to be added to MS-NRPC to detail the<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>currently abstract backing store
for user and trust accounts.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>However, it happens that the
normal SamLogon processing is mostly described<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>in [MS-APDS].<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>What I'm looking for is a
specific description of what attributes (unicodePwd,<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>dbcsPwd) are used for validating
the password, what attributes (pwdLastSet,<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>userAccountControl etc) are used
(and how they are used) to check policy and<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>then what attributes are used to
construct the NETLOGON_VALIDATION_SAM_INFO4.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>I need this because I must
construct the same reply as a Microsoft DC that I<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>might share a domain using DRS
replication with. <o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>The current text in [MS-APDS]
3.1.5.1 is:<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>The domain controller MUST compare
the local copy of the password to the<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>one sent in the \
request.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>If there is a successful match,
the domain controller MUST return data <o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>with ValidationInformation
containing either a reference to <o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>NETLOGON_VALIDATION_SAM_INFO4
([MS-NRPC] section 3.5.4.4.1), if the <o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>ValidationLevel in the request
is NetlogonValidationSamInfo4 or a <o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>reference to
NETLOGON_VALIDATION_SAM_INFO2 ([MS-NRPC] section 3.5.4.4.1),<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>if the ValidationLevel in the
request is NetlogonValidationSamInfo2).<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>If there is not a match, the DC
MUST return the failure error code <o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>STATUS_WRONG_PASSWORD (section
2.2) with no response data.<15><o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<div>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>Regards,</span></b><span style='color:navy'><br>
</span><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>Bill Wesse</span></b><span style='color:navy'><br>
</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM</span><span
style='color:navy'><br>
</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>8055 Microsoft Way</span><span style='color:navy'><br>
</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>Charlotte, NC 28273</span><span style='color:navy'><br>
</span><span style='font-size:10.0pt;font-family:"Courier New";color:black'>TEL:
+1(980) 776-8200<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";
color:black'>CELL: +1(704) 661-5438</span><span style='font-family:"Courier \
New"; color:navy'><br>
</span><span style='font-size:10.0pt;font-family:"Courier \
New";color:black'>FAX: +1(704) 665-9606<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";
color:black'><o:p> </o:p></span></p>
</div>
</div>
</body>
</html>
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
--===============1790587629==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic