[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: [cifs-protocol] MS-ADTS: msDS-ResultantPSO and DOMAIN_USER_RID_KRBTGT discrepancy
From: Tim Beale via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2018-04-05 20:59:56
Message-ID: b4a93e66-6cf2-ea53-e524-ddcb508278c8 () catalyst ! net ! nz
[Download RAW message or body]
Hi,
I'm looking into the behaviour of msDS-ResultantPSO and found a
discrepancy between the specification and the actual behaviour.
In MS-ADTS, section 3.1.1.4.5.36 msDS-ResultantPSO [1], it says the
following:
If the RID in U!objectSid is equal to DOMAIN_USER_RID_KRBTGT, then
there is no value in this attribute.
I tried adding a PSO object and applying it to the krbtgt user on a
Windows 2012R2 VM. Based on the spec, I would expect no
msDS-ResultantPSO to be returned for the krbtgt user. However, I do see
one returned, e.g.
# record 1
dn:
CN=krbtgt,CN=Users,DC=WINDOWS2012R2,DC=WIN,DC=TIM,DC=WGTN,DC=CAT-IT,DC=CO,DC=NZ
objectSid: S-1-5-21-886655096-618523297-2770022155-502
msDS-ResultantPSO: CN=dummy-PSO,CN=Password Settings
Container,CN=System,DC=WINDOWS2012R2,DC=WIN,DC=TIM,DC=WGTN,DC=CAT-IT,DC=CO,DC=NZ
You can see the RID in the objectSid is 502, which is
DOMAIN_USER_RID_KRBTGT.
Could you please clarify which is incorrect - the specification or the
Windows behaviour? Or have I misunderstood something?
Thanks,
Tim
[1] https://msdn.microsoft.com/en-us/library/cc223866.aspx
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic