[cifs-protocol] [EXTERNAL] [MS-ADTS] GetgMSAPasswordBlob — Calculation of rollover interval - TrackingID#2311230040000495

Joseph Sutton jsutton at samba.org
Fri Nov 24 00:53:12 UTC 2023 

Oh, I see what’s going on. The original expression is correct, provided 
that ‘TO!msDS-ManagedPasswordInterval’ is first multiplied by 
36,000,000,000 (one hour expressed as a FILETIME).

The documentation might be clearer, though, if it said that 
msDS-ManagedPasswordInterval was to be converted from a number of days 
to a FILETIME (so that 1 day would become 864,000,000,000). In that case 
the expression would be simply:

GKDIRolloverInterval = (TO!msDS-ManagedPasswordInterval ∕ 
KeyCycleDuration) × KeyCycleDuration

Regards,
Joseph

On 23/11/23 2:58 pm, Jeff McCashland (He/him) wrote:
> [DocHelp to BCC, support on CC, SR ID on Subject]
> 
> Hi Joseph,
> 
> Thank you for your question. We have created SR 2311230040000495 to track this issue. One of our engineers will respond soon.
> 
> Note that due to the U.S. Thanksgiving holiday, the response may be delayed until Monday at the latest.
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
> 
> -----Original Message-----
> From: Joseph Sutton <jsutton at samba.org>
> Sent: Wednesday, November 22, 2023 5:07 PM
> To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
> Subject: [EXTERNAL] [MS-ADTS] GetgMSAPasswordBlob — Calculation of rollover interval
> 
> Hi dochelp,
> 
> I think there may be an error — or at least some opportunity for confusion — in the documentation for GetgMSAPasswordBlob ([MS-ADTS] 3.1.1.4.5.39, “msDS-ManagedPassword”). The documentation states that GKDIRolloverInterval is equal to:
> 
> (TO!msDS-ManagedPasswordInterval × 24 ∕ KeyCycleDuration) × KeyCycleDuration
> 
> GKDIRolloverInterval is later added to the time returned by GKDIGetKeyStartTime(), implying that the former value is measured in 100ns units as is the latter. However, the expression given in the documentation appears to be equivalent to ‘TO!msDS-ManagedPasswordInterval × 24’, which would produce a quantity in hours.
> 
> If GKDIRolloverInterval is meant to be a FILETIME, I think the correct expression should be:
> 
> TO!msDS-ManagedPasswordInterval × 24 × 60 × 60 × 10⁷
> 
> This gives an answer consistent with the results I’m seeing from Windows.
> 
> Regards,
> Joseph

More information about the cifs-protocol mailing list