[cifs-protocol] What are the POLICY_DOMAIN_KERBEROS_TICKET_INFO
flags?
Hongwei Sun
hongweis at microsoft.com
Fri Aug 29 21:27:21 GMT 2008
Andrew,
We completed the investigation for your questions. The following is the information that will be added to MS-LSAD 2.2.53 in the future release.
"AuthenticationOptions contains optional flags that affect validations preformed during authentication. The only flag currently defined is POLICY_KERBEROS_VALIDATE_CLIENT(0x00000080). When the POLICY_KERBEROS_VALIDATE_CLIENT flag is set, during a TGS request, the KDC will check the client account for account restriction if the client account is in the local domain *and* the client was authenticated more than 20 minutes ago. "
Please let us know if you need further clarification.
Thanks
----------------------------------------------------------
Hongwei Sun - Sr. Support Escalation Engineer
DSC Protocol Team, Microsoft
hongweis at microsoft.com
Tel: 469-7757027 x 57027
-----------------------------------------------------------
-----Original Message-----
From: cifs-protocol-bounces+hongweis=microsoft.com at cifs.org [mailto:cifs-protocol-bounces+hongweis=microsoft.com at cifs.org] On Behalf Of Andrew Bartlett
Sent: Monday, August 25, 2008 8:31 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: [cifs-protocol] What are the POLICY_DOMAIN_KERBEROS_TICKET_INFO flags?
In MS-LSAD 2.2.53 POLICY_DOMAIN_KERBEROS_TICKET_INFO, it states:
AuthenticationOptions: Optional flags that affect validations performed during authentication.
What are the optional flags, what do they do, and where are they defined?
(this is the packet against Windows 2008)
trying QueryDomainInformationPolicy level 3
lsa_QueryDomainInformationPolicy: struct lsa_QueryDomainInformationPolicy
in: struct lsa_QueryDomainInformationPolicy
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 5b01caf4-d140-4325-b851-18cafb0c251c
level : 0x0003 (3)
lsa_QueryDomainInformationPolicy: struct lsa_QueryDomainInformationPolicy
out: struct lsa_QueryDomainInformationPolicy
info : *
info : union lsa_DomainInformationPolicy(case 3)
kerberos_info: struct lsa_DomainInfoKerberos
enforce_restrictions : 0x00000080 (128)
service_tkt_lifetime : 0x00000053d1ac1000 (360000000000)
user_tkt_lifetime : 0x00000053d1ac1000 (360000000000)
user_tkt_renewaltime : 0x0000058028e44000 (6048000000000)
clock_skew : 0x00000000b2d05e00 (3000000000)
unknown6 : 0x0000000000000000 (0)
result : NT_STATUS_OK
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
More information about the cifs-protocol
mailing list