[cifs-protocol] RE: KVNO of trusts
John Dunning
johndun at microsoft.com
Fri Oct 24 19:53:26 GMT 2008
Hello Andrew,
I am sorry for the delayed response but I was out of the office the first part of the week.
Were you still going to provide more concrete details or did you want me to pursue this with the information I have?
Thanks
John Dunning
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, October 08, 2008 6:32 PM
To: John Dunning
Cc: Interoperability Documentation Help; pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: KVNO of trusts
On Wed, 2008-10-08 at 09:31 -0700, John Dunning wrote:
> Hello Andrew,
> Thank you for your rewording suggestion. I have passed this information on to my Product Team.
>
> I also have an answer to your question:
>
> "What is the kvno if the client does not provide one in that structure, when it initially calls CreateTrustedDomainEx? (I think it is -1)?"
>
> Answer:
>
> If TRUST_AUTH_TYPE_VERSION is missing, the key version # for that
> trust key in Kerberos protocol is not filled. In such a case, the
> Windows Kerberos will ignore the missing key version # field.
> The key version (and the TRUST_AUTH_TYPE_VERSION field) is always
> present in Microsoft implementations to maximize interoperability.
I didn't find the version in the blob attached to the
CreateTrustedDomainEx2 call I got from Windows 2008. That is why I asked.
Perhaps I'm (as a server) meant to add this to the record? If so, what information should I use to do so?
Also, while this element is indeed optional according to the ASN.1, it seemed to be filled in by windows in this case.
I'll try to reproduce the setup we had at the IO lab this week, and give you some more concrete details.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
More information about the cifs-protocol
mailing list