[cifs-protocol] RE: Mapping of MS-LSAD onto LDAP and DRS replications

Richard Guthrie rguthrie at microsoft.com
Fri Aug 1 14:40:07 GMT 2008


The trace you sent previously lines up with expected behavior the documentation defines (This was also verified with a review of the code also).  You can see starting with packet 530 that the client tells the server that it does support signing but the server responds in packet 534 that it does not.  From there in frames 535-538 show the client and server not using header signing for the remainder of the conversation which is in line with the documentation.  We do see the client and server encrypting the body of the request as per the authentication level being set to Privacy.

Can you send a capture that exhibits the behavior you describe with NTLMv2 as well as clarify your comments about behavior you have seen in the past?  Basically I need as much information as you can provide on the behavior you have experienced to help understand the problem.  This would help to isolate the behavior you are seeing and complete additional analysis as required.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, July 29, 2008 11:46 PM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: Mapping of MS-LSAD onto LDAP and DRS replications

On Fri, 2008-07-25 at 06:21 -0700, Richard Guthrie wrote:
> Andrew,
> I wanted to follow up on our conversation regarding LSA and your
> discussion on its backing data store.

> Please review and let us know if this answers your question?

I think it does with respect the privileges (I need to spend some more time to understand this area), but not regarding the rest of the document.  For example, there is no link between the trusted domain manipulation methods and the discussion in MS-ADTS of the storage of
trusted domain objects.   (where the information is for the most part
more clearly specified)

While privileges may not be stored in the directory (where are they stored in windows?), the rest of the elements discussed in this protocol are, as far as I know.


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list