[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cifs-protocol
Subject:    [cifs-protocol] Modifying msDS-SupportedEncryptionTypes attribute after domain join
From:       Andreas Schneider <asn () samba ! org>
Date:       2016-02-25 10:55:37
Message-ID: 2892909.ADvbcFBrDv () magrathea ! cryptomilk ! site
[Download RAW message or body]

Hello, dochelp!

Günther Deschner and I looked into updating the msDS-SupportedEncryptionTypes 
attribute after a domain join.

We would like to ask for some clarifications for:

--- snip ---
[MS-KILE] 3.4.3.1 msDS-SupportedEncryptionTypes attribute:

"If the realm is a KILE implementation that uses an Active Directory for the 
account database, the server SHOULD ensure that the msDS-
SupportedEncryptionTypes attribute ([MS-ADA2] section 2.458) of its account 
object is set to the value of SupportedEncryptionTypes (section 3.1.1.5).

When an application server is running under the machine account and NRPC is 
supported on the machine, the server SHOULD call NetrLogonGetDomainInfo ([MS-
NRPC] section 3.4.5.2.9) with the Level parameter set to 1 and 
WkstaBuffer.WorkstationInfo.KerberosSupportedEncryptionTypes set to 
zero.<72>If the WkstaBuffer.WorkstationInfo.KerberosSupportedEncryptionTypes 
returned is not equal to SupportedEncryptionTypes (section 3.1.1.5), then LDAP 
is used to update the setting:<73>

2.    Establish an LDAP connection with server information set to NULL
      ([MS-ADTS] section 7.1).

1.    Perform an LDAP modify operation to set the
      msDS-SupportedEncryptionTypes attribute ([MS-ADA2] section 2.458) of the
      computer account object to the value of SupportedEncryptionTypes
      (section 3.1.1.5).
--- snip-end ---

Do we interpret that correctly, that after the machine account has been added 
to Active directory, a netlogon connection is established using the machine 
account credentials from the machine account we just created.

NetrLogonGetDomainInfo() is called to retrieve the information if the 
supported encryption types need to be changed or not. If it needs to be 
changed:

1. An LDAP connection with the credentials of the newly created machine
   account is established
2. We perform an LDAP modify operation to set the
   msDS-SupportedEncryptionTypes attribute


Is that correct?

Thanks!


Best regards,


	-- andreas

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn@samba.org
www.samba.org

_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic