[cifs-protocol] 601583 RE: How are disabled accounts handled in SNTP

Richard Guthrie rguthrie at microsoft.com
Mon Jul 28 14:54:49 GMT 2008 

Andrew,

As per our discussion on this issue.  MS-SNTP request do not rely on the secure channel, however once a client establishes a time sync with a particular time source it will continue to use that time source until that time source goes offline.  Also, as discussed here is an overview link on MS-SNTP from technet.

http://technet2.microsoft.com/WindowsServer/en/library/71e76587-28f4-4272-a3d7-7f44ca50c0181033.mspx?mfr=true

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Saturday, July 12, 2008 1:53 AM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: [cifs-protocol] 600606 RE: How are disabled accounts handled in SNTP

On Wed, 2008-07-02 at 07:30 -0700, Richard Guthrie wrote:
> Andrew,
>
> I have completed my research with respect to NetrServerAuthenticate3.
> Your original question was around whether there any other methods
> other than NetrServerAuthenticate3 that return the RID of the
> authenticated account in a thread on MS-SNTP.  With respect to MS-SNTP
> and the Windows Time Service , it starts account authentication with a
> call to NetrLogonGetTrustRid.  The documentation discusses the
> Netlogon method NetrLogonGetTrustRid
> (http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-SNTP%5D.pdf) in section 1.5.2 of the current doc set.
>
> This method under the covers makes a call to NetrServerAuthenticate3
> in the case where the time service is located on a member server.
> Details of NetrServerAuthenticate3 can be found here
> (http://msdn.microsoft.com/en-us/library/cc208186.aspx).  The RID is
> retrieved as a return value from establishment of a session key used
> for the secure channel.
>
> If however the time service is located on a DC that is in the domain
> of the account to be authenticated, NetrLogonGetTrustRid looks at the
> local SAM database to get the account and its associated RID.  There
> never is a call to NetrServerAuthenticate3 in this case.
>
> I have requested that the MS-NRPC documentation (section 3.5.4.7.1),
> be updated to reflect this and will let you know the results of that
> investigation.  Does this answer your question?

I think so.

Will the client always talk to the server it has done a
NetrServerAuthenticate3 against to then requiest MS-SNTP authenticated time?
(Where I'm going with this is that I could, in securing the MS-SNTP protocol, restrict SNTP access to clients who have done a
NetrServerAuthenticate3 call and domain controllers, per you answer above, or if - and I have not yet asked this - the
NetrServerAuthenticate3 returned RID is only used for MS-SNTP, then we could return another arbitrary 32 bit number, and key with that.)

Thanks


Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list