[cifs-protocol] RE: 601628 RE: Mapping of MS-LSAD onto LDAP and DRS
abartlet at samba.org
Tue Aug 26 22:25:21 GMT 2008
On Tue, 2008-08-26 at 11:11 -0700, Richard Guthrie wrote:
> The link between G$$<trusted domain secrets> and trustAuthIncoming is
> that G$$<trusted domain secrets> is where the password for the trust
> was stored prior to active directory (I.E. NT4 for example). If the
> trust is a trust between Active Directory enabled domains, the TDO
> object is where the trust passwords are stored. I was mistaken when I
> spoke previously, stating that if you use the method
> LsarSetTrustedDomainInfo with
> InformationClass==TrustedPasswordInformation you would be able to
> modify trustAuthIncoming/ trustAuthOutgoing values. You can only
> modify secret objects when you have
> InformationClass==TrustedPasswordInformation. If you want to
> manipulate trustAuthIncoming/trustAuthOutgoing, you would need to set
> InformationClass = TrustedDomainInformationEx. One point to note is
> that this method requires all the fields on the TDO passed in the
> TrustedDOmainInformation object be set properly. The preferred means
> of modifying trustAuthIncoming/trustAuthOutgoing attributes on the TDO
> is through the use of LsarSetInformationTrustedDomain.
> We have also made a modification to the MS-LSAD document for section
> 126.96.36.199.3 to make the portion about TrustedPasswordInformation more
> clear that it refers to manipulation of a secret object. Here is the
> revised text below with the reference to section 188.8.131.52:
> TrustedPasswordInformation: The server MUST verify that a trusted
> domain object with this SID exists in its policy database. If the
> object does not exist, the call MUST fail with STATUS_NO_SUCH_DOMAIN.
> Otherwise, the server MUST open the secret object, as defined in
> section 184.108.40.206, (or create a secret object, if one does not already
> exist) with "Name" set to "G$$<Trusted Domain Name>". The server MUST
> then set "Old Value" of the secret object to the "OldPassword" value
> in TrustedDomainInformation and set "New Value" of the secret object
> to the "Password" value in TrustedDomainInformation, similar to the
> processing when an LsarSetSecret request has been made.
> Please let us know if you have any additional questions regarding this
So, the secrets are another parallel to the trustAuthIncoming and
trustAuthOutgoing? The modified text does not reference
trustAuthIncoming or trustAuthOutgoing, so I'm confused.
Also, how do the cn=users object is influenced by these calls?
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080827/57a63bb1/attachment.bin
More information about the cifs-protocol