[cifs-protocol] What are the POLICY_DOMAIN_KERBEROS_TICKET_INFO flags?

Hongwei Sun hongweis at microsoft.com
Fri Aug 29 21:27:21 GMT 2008


  We completed the investigation for your questions.  The following is the information that will be added to MS-LSAD 2.2.53 in the future release.

   "AuthenticationOptions  contains optional flags that affect validations preformed during authentication.  The only flag currently defined is POLICY_KERBEROS_VALIDATE_CLIENT(0x00000080).    When the POLICY_KERBEROS_VALIDATE_CLIENT flag is set, during a TGS request, the KDC will check the client account for account restriction if the client account is in the local domain *and* the client was authenticated more than 20 minutes ago. "

   Please let us know if you need further clarification.


Hongwei  Sun - Sr. Support Escalation Engineer
DSC Protocol  Team, Microsoft
hongweis at microsoft.com
Tel:  469-7757027 x 57027

-----Original Message-----
From: cifs-protocol-bounces+hongweis=microsoft.com at cifs.org [mailto:cifs-protocol-bounces+hongweis=microsoft.com at cifs.org] On Behalf Of Andrew Bartlett
Sent: Monday, August 25, 2008 8:31 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: [cifs-protocol] What are the POLICY_DOMAIN_KERBEROS_TICKET_INFO flags?


AuthenticationOptions: Optional flags that affect validations performed during authentication.

What are the optional flags, what do they do, and where are they defined?

(this is the packet against Windows 2008)

trying QueryDomainInformationPolicy level 3
    lsa_QueryDomainInformationPolicy: struct lsa_QueryDomainInformationPolicy
        in: struct lsa_QueryDomainInformationPolicy
            handle                   : *
                handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : 5b01caf4-d140-4325-b851-18cafb0c251c
            level                    : 0x0003 (3)
    lsa_QueryDomainInformationPolicy: struct lsa_QueryDomainInformationPolicy
        out: struct lsa_QueryDomainInformationPolicy
            info                     : *
                info                     : union lsa_DomainInformationPolicy(case 3)
                kerberos_info: struct lsa_DomainInfoKerberos
                    enforce_restrictions     : 0x00000080 (128)
                    service_tkt_lifetime     : 0x00000053d1ac1000 (360000000000)
                    user_tkt_lifetime        : 0x00000053d1ac1000 (360000000000)
                    user_tkt_renewaltime     : 0x0000058028e44000 (6048000000000)
                    clock_skew               : 0x00000000b2d05e00 (3000000000)
                    unknown6                 : 0x0000000000000000 (0)
            result                   : NT_STATUS_OK


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list