[cifs-protocol] [EXTERNAL] [MS-ADTS] GetgMSAPasswordBlob — Calculation of rollover interval - TrackingID#2311230040000495

Joseph Sutton jsutton at samba.org
Fri Nov 24 01:14:03 UTC 2023 

(My original suggestion was correct only when 
msDS-ManagedPasswordInterval happened to be a multiple of five.)

Regards,
Joseph

On 24/11/23 1:53 pm, Joseph Sutton via cifs-protocol wrote:
> Oh, I see what’s going on. The original expression is correct, provided 
> that ‘TO!msDS-ManagedPasswordInterval’ is first multiplied by 
> 36,000,000,000 (one hour expressed as a FILETIME).
> 
> The documentation might be clearer, though, if it said that 
> msDS-ManagedPasswordInterval was to be converted from a number of days 
> to a FILETIME (so that 1 day would become 864,000,000,000). In that case 
> the expression would be simply:
> 
> GKDIRolloverInterval = (TO!msDS-ManagedPasswordInterval ∕ 
> KeyCycleDuration) × KeyCycleDuration
> 
> Regards,
> Joseph
> 
> On 23/11/23 2:58 pm, Jeff McCashland (He/him) wrote:
>> [DocHelp to BCC, support on CC, SR ID on Subject]
>>
>> Hi Joseph,
>>
>> Thank you for your question. We have created SR 2311230040000495 to 
>> track this issue. One of our engineers will respond soon.
>>
>> Note that due to the U.S. Thanksgiving holiday, the response may be 
>> delayed until Monday at the latest.
>>
>> Best regards,
>> Jeff McCashland (He/him) | Senior Escalation Engineer | 
>> Microsoft Protocol Open Specifications Team
>> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
>> (UTC-08:00) Pacific Time (US and Canada)
>> Local country phone number found 
>> here: http://support.microsoft.com/globalenglish | Extension 1138300
>>
>> -----Original Message-----
>> From: Joseph Sutton <jsutton at samba.org>
>> Sent: Wednesday, November 22, 2023 5:07 PM
>> To: cifs-protocol at lists.samba.org; Interoperability Documentation Help 
>> <dochelp at microsoft.com>
>> Subject: [EXTERNAL] [MS-ADTS] GetgMSAPasswordBlob — Calculation of 
>> rollover interval
>>
>> Hi dochelp,
>>
>> I think there may be an error — or at least some opportunity for 
>> confusion — in the documentation for GetgMSAPasswordBlob ([MS-ADTS] 
>> 3.1.1.4.5.39, “msDS-ManagedPassword”). The documentation states that 
>> GKDIRolloverInterval is equal to:
>>
>> (TO!msDS-ManagedPasswordInterval × 24 ∕ KeyCycleDuration) × 
>> KeyCycleDuration
>>
>> GKDIRolloverInterval is later added to the time returned by 
>> GKDIGetKeyStartTime(), implying that the former value is measured in 
>> 100ns units as is the latter. However, the expression given in the 
>> documentation appears to be equivalent to 
>> ‘TO!msDS-ManagedPasswordInterval × 24’, which would produce a quantity 
>> in hours.
>>
>> If GKDIRolloverInterval is meant to be a FILETIME, I think the correct 
>> expression should be:
>>
>> TO!msDS-ManagedPasswordInterval × 24 × 60 × 60 × 10⁷
>>
>> This gives an answer consistent with the results I’m seeing from Windows.
>>
>> Regards,
>> Joseph
> 
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at lists.samba.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol

More information about the cifs-protocol mailing list