[cifs-protocol] [EXTERNAL] [MS-ADTS] GetgMSAPasswordBlob — Calculation of rollover interval - TrackingID#2311230040000495
Joseph Sutton
jsutton at samba.org
Fri Nov 24 00:53:12 UTC 2023
Oh, I see what’s going on. The original expression is correct, provided
that ‘TO!msDS-ManagedPasswordInterval’ is first multiplied by
36,000,000,000 (one hour expressed as a FILETIME).
The documentation might be clearer, though, if it said that
msDS-ManagedPasswordInterval was to be converted from a number of days
to a FILETIME (so that 1 day would become 864,000,000,000). In that case
the expression would be simply:
GKDIRolloverInterval = (TO!msDS-ManagedPasswordInterval ∕
KeyCycleDuration) × KeyCycleDuration
Regards,
Joseph
On 23/11/23 2:58 pm, Jeff McCashland (He/him) wrote:
> [DocHelp to BCC, support on CC, SR ID on Subject]
>
> Hi Joseph,
>
> Thank you for your question. We have created SR 2311230040000495 to track this issue. One of our engineers will respond soon.
>
> Note that due to the U.S. Thanksgiving holiday, the response may be delayed until Monday at the latest.
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
>
> -----Original Message-----
> From: Joseph Sutton <jsutton at samba.org>
> Sent: Wednesday, November 22, 2023 5:07 PM
> To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
> Subject: [EXTERNAL] [MS-ADTS] GetgMSAPasswordBlob — Calculation of rollover interval
>
> Hi dochelp,
>
> I think there may be an error — or at least some opportunity for confusion — in the documentation for GetgMSAPasswordBlob ([MS-ADTS] 3.1.1.4.5.39, “msDS-ManagedPassword”). The documentation states that GKDIRolloverInterval is equal to:
>
> (TO!msDS-ManagedPasswordInterval × 24 ∕ KeyCycleDuration) × KeyCycleDuration
>
> GKDIRolloverInterval is later added to the time returned by GKDIGetKeyStartTime(), implying that the former value is measured in 100ns units as is the latter. However, the expression given in the documentation appears to be equivalent to ‘TO!msDS-ManagedPasswordInterval × 24’, which would produce a quantity in hours.
>
> If GKDIRolloverInterval is meant to be a FILETIME, I think the correct expression should be:
>
> TO!msDS-ManagedPasswordInterval × 24 × 60 × 60 × 10⁷
>
> This gives an answer consistent with the results I’m seeing from Windows.
>
> Regards,
> Joseph
More information about the cifs-protocol
mailing list