[cifs-protocol] RE: Secret 'last set times' doc incorrect in 2008 - 600578

Richard Guthrie rguthrie at microsoft.com
Tue Aug 26 21:21:01 GMT 2008


I will be working with you to resolve your issue.  I had a quick question to help with our research:

If you have a secret object with old/new secret values set.  They also both have a timestamp indicating when the values were last updated/set.  You call LsarSetSecret passing in null for new secret value and some value for old secret value.  You observe that the old secret value timestamp = ?, You observe that the new secret value timestamp = ? (Please let me know what these values are in the test you reference).

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, August 25, 2008 7:01 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Secret 'last set times' doc incorrect in 2008

In MS-LSAD LsarSetSecret it states that:

The server MUST also maintain "time stamp" values for current and old values of the secret object.
The following table lists the rules by which the time stamps are computed.
                          Value         Effect on old time                 Effect on new time
  Old secret value        NULL          Old value of "new secret time"     Not applicable
  Old secret value        Non-NULL      Current server time                Not applicable
  New secret value        NULL          Not applicable                     Current server time
  New secret value        Non-NULL      Not applicable                     Current server time

However, tests against Window 2008 show that setting the old value (but not the new) removes the new value, and sets the time to 'current server time'

Please update the docs,


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list