[cifs-protocol] RE: 601628 RE: Mapping of MS-LSAD onto LDAP and DRS
replications
Andrew Bartlett
abartlet at samba.org
Tue Aug 26 22:25:21 GMT 2008
On Tue, 2008-08-26 at 11:11 -0700, Richard Guthrie wrote:
> Andrew,
>
> The link between G$$<trusted domain secrets> and trustAuthIncoming is
> that G$$<trusted domain secrets> is where the password for the trust
> was stored prior to active directory (I.E. NT4 for example). If the
> trust is a trust between Active Directory enabled domains, the TDO
> object is where the trust passwords are stored. I was mistaken when I
> spoke previously, stating that if you use the method
> LsarSetTrustedDomainInfo with
> InformationClass==TrustedPasswordInformation you would be able to
> modify trustAuthIncoming/ trustAuthOutgoing values. You can only
> modify secret objects when you have
> InformationClass==TrustedPasswordInformation. If you want to
> manipulate trustAuthIncoming/trustAuthOutgoing, you would need to set
> InformationClass = TrustedDomainInformationEx. One point to note is
> that this method requires all the fields on the TDO passed in the
> TrustedDOmainInformation object be set properly. The preferred means
> of modifying trustAuthIncoming/trustAuthOutgoing attributes on the TDO
> is through the use of LsarSetInformationTrustedDomain.
>
> We have also made a modification to the MS-LSAD document for section
> 3.1.4.7.3 to make the portion about TrustedPasswordInformation more
> clear that it refers to manipulation of a secret object. Here is the
> revised text below with the reference to section 3.1.1.4:
>
> TrustedPasswordInformation: The server MUST verify that a trusted
> domain object with this SID exists in its policy database. If the
> object does not exist, the call MUST fail with STATUS_NO_SUCH_DOMAIN.
> Otherwise, the server MUST open the secret object, as defined in
> section 3.1.1.4, (or create a secret object, if one does not already
> exist) with "Name" set to "G$$<Trusted Domain Name>". The server MUST
> then set "Old Value" of the secret object to the "OldPassword" value
> in TrustedDomainInformation and set "New Value" of the secret object
> to the "Password" value in TrustedDomainInformation, similar to the
> processing when an LsarSetSecret request has been made.
> Please let us know if you have any additional questions regarding this
> issue.
So, the secrets are another parallel to the trustAuthIncoming and
trustAuthOutgoing? The modified text does not reference
trustAuthIncoming or trustAuthOutgoing, so I'm confused.
Also, how do the cn=users object is influenced by these calls?
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080827/57a63bb1/attachment.bin
More information about the cifs-protocol
mailing list