[cifs-protocol] RE: 601628 RE: Mapping of MS-LSAD onto LDAP and DRS replications

Andrew Bartlett abartlet at samba.org
Tue Aug 26 22:25:21 GMT 2008

On Tue, 2008-08-26 at 11:11 -0700, Richard Guthrie wrote:
> Andrew,
> The link between G$$<trusted domain secrets> and trustAuthIncoming is
> that G$$<trusted domain secrets> is where the password for the trust
> was stored prior to active directory (I.E. NT4 for example).  If the
> trust is a trust between Active Directory enabled domains, the TDO
> object is where the trust passwords are stored.  I was mistaken when I
> spoke previously, stating that if you use the method
> LsarSetTrustedDomainInfo with
> InformationClass==TrustedPasswordInformation you would be able to
> modify trustAuthIncoming/ trustAuthOutgoing values.  You can only
> modify secret objects when you have
> InformationClass==TrustedPasswordInformation.  If you want to
> manipulate trustAuthIncoming/trustAuthOutgoing, you would need to set
> InformationClass = TrustedDomainInformationEx.  One point to note is
> that this method requires all the fields on the TDO passed in the
> TrustedDOmainInformation object be set properly.  The preferred means
> of modifying trustAuthIncoming/trustAuthOutgoing attributes on the TDO
> is through the use of LsarSetInformationTrustedDomain.
> We have also made a modification to the MS-LSAD document for section
> to make the portion about TrustedPasswordInformation more
> clear that it refers to manipulation of a secret object.  Here is the
> revised text below with the reference to section
> TrustedPasswordInformation: The server MUST verify that a trusted
> domain object with this SID exists in its policy database. If the
> object does not exist, the call MUST fail with STATUS_NO_SUCH_DOMAIN.
> Otherwise, the server MUST open the secret object, as defined in
> section, (or create a secret object, if one does not already
> exist) with "Name" set to "G$$<Trusted Domain Name>". The server MUST
> then set "Old Value" of the secret object to the "OldPassword" value
> in TrustedDomainInformation and set "New Value" of the secret object
> to the "Password" value in TrustedDomainInformation, similar to the
> processing when an LsarSetSecret request has been made.
> Please let us know if you have any additional questions regarding this
> issue.

So, the secrets are another parallel to the trustAuthIncoming and
trustAuthOutgoing?  The modified text does not reference
trustAuthIncoming or trustAuthOutgoing, so I'm confused.

Also, how do the cn=users object is influenced by these calls?

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080827/57a63bb1/attachment.bin

More information about the cifs-protocol mailing list