[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [REG: 110080418357322] [MS-BKRP] 1.3.1 -- in a
From: Edgar Olougouna <edgaro () microsoft ! com>
Date: 2010-08-09 20:54:08
Message-ID: C3D5BF8228FEF54BABF69D7E1088B85F52C0952D () TK5EX14MBXC117 ! redmond ! corp ! microsoft ! com
[Download RAW message or body]
Matthieu,
G$BCKUPKEY_PREFERRED and G$BCKUPKEY_guid are stored as LSA global secrets. The LSA \
global secret objects are replicated across domain controllers (DCs) in the same \
domain, so each DC can respond to secret requests of this type. This is specified in \
MS-BKRP 1.3.1 which cross-references [MS-LSAD] section 3.1.1.4. The global secrets \
are synchronized across DCs in the same domain, so that once the client discovers the \
DC and query a secret, it has the same key pair and corresponding guid that is \
currently used through the same domain. MS-BKRP documents how Windows responds to \
BackupKey protocol queries received over the network.
Regarding operations on the global secret objects related to the BackupKey protocol, \
since they are stored as MS-LSAD secret objects, they can be read and/or written \
using the same mechanisms documented in MS-LSAD 3.1.4.6 Secret Object Methods. In \
this particular case, you may for instance use MS-LSAD 3.1.4.6.4 LsarQuerySecret \
(Opnum 30) or 3.1.4.6.6 LsarRetrievePrivateData (Opnum 43). Depending on the context \
you want to perform these operations, it might just be simpler to use \
LsarRetrievePrivateData and supply the KeyName to retrieve the secret since there is \
no associated old value. Please see MS-LSAD for details on each method you are \
interested in.
MS-LSAD 3.1.4.6.6 LsarRetrievePrivateData (Opnum 43) The LsarRetrievePrivateData \
method is invoked to retrieve a secret value. NTSTATUS LsarRetrievePrivateData(
[in] LSAPR_HANDLE PolicyHandle,
[in] PRPC_UNICODE_STRING KeyName,
[in, out] PLSAPR_CR_CIPHER_VALUE* EncryptedData );
PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or \
LsarOpenPolicy2.
KeyName: The name identifying the secret value to be retrieved.
EncryptedData: Receives the encrypted value of the secret object.
…
MS-LSAD 3.1.4.6.4 LsarQuerySecret (Opnum 30) The LsarQuerySecret method is invoked to \
retrieve the current and old (or previous) value of the secret object. NTSTATUS \
LsarQuerySecret( [in] LSAPR_HANDLE SecretHandle,
[in, out, unique] PLSAPR_CR_CIPHER_VALUE* EncryptedCurrentValue, [in, out, unique] \
PLARGE_INTEGER CurrentValueSetTime, [in, out, unique] PLSAPR_CR_CIPHER_VALUE* \
EncryptedOldValue, [in, out, unique] PLARGE_INTEGER OldValueSetTime \
);
SecretHandle: An open secret object handle.
EncryptedCurrentValue: Used to return the encrypted current value of the secret \
object.
CurrentValueSetTime: Used to return the time when the current value was set.
EncryptedOldValue: A BLOB representing the encrypted old value. It is valid for this \
parameter to be NULL, in which case the current value in the policy database is \
copied.
OldValueSetTime: The time corresponding to the instant that the old value was last \
changed. …
Best regards,
Edgar
-----Original Message-----
From: Edgar Olougouna
Sent: Thursday, August 05, 2010 4:35 PM
To: 'mat@samba.org'; 'pfif@tridgell.net'; 'cifs-protocol@samba.org'
Cc: MSSolve Case Email
Subject: [REG: 110080418357322] [MS-BKRP] 1.3.1 -- in a given domain there is only \
"active" rsa key
Hi Matthieu,
I am researching this issue and will update you as soon I complete my research.
Best regards,
Edgar
Issue verbatim
------------------
Second in paragraph 1.3.1 Call Flows, it is stated "For the ClientWrap subprotocol, \
the Microsoft implementation of the BackupKey Remote Protocol server stores the \
following LSA global secret objects (note that the LSA global secret names are \
Unicode strings): 1. G$BCKUPKEY_PREFERRED: This contains the 16-byte GUID ([MS-DTYP] \
section 2.3.2.2) of the RSA key pair currently used for client-side secret wrapping. \
2. G$BCKUPKEY_guid: Here, guid is the string GUID that identifies the wrapping key, \
formatted as a GUIDString ([MS-DTYP] section 2.3.2.3). The value of the secret object \
is the server's ClientWrap key pair, formatted as specified in section 2.2.5"
Should I conclude that in a given domain there is only "active" rsa key on all the \
server or said in another way no matter which server is asked at a given moment we \
will always receive the same GUID for the key ?
Also just to be sure this will be stored in the currentValue attribute but it will be \
only accessible through a lsaQuerySecret call right ?
-----Original Message-----
From: Bryan Burgin
Sent: Wednesday, August 04, 2010 10:12 PM
To: 'mat@samba.org'
Cc: pfif@tridgell.net; cifs-protocol@samba.org; MSSolve Case Email
Subject: RE: [REG:110071868986368] unused bytes after while decoding bkrp requests
Matthieu,
For your new issues, I created three new cases and dispatched them across the team
110080417580961
[MS-BKRP] 3.1.4.1 "misc" 0x00020000 value
110080418016869
[MS-BKRP] 3.1.4.1.3 -- version field and a GUID field no documented
110080418357322
[MS-BKRP] 1.3.1 -- in a given domain there is only "active" rsa key
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic