[cifs-protocol] What are the POLICY_DOMAIN_KERBEROS_TICKET_INFO flags?

Andrew Bartlett abartlet at samba.org
Fri Aug 29 22:14:50 GMT 2008

On Fri, 2008-08-29 at 14:27 -0700, Hongwei Sun wrote:
> Andrew,
>   We completed the investigation for your questions.  The following is
> the information that will be added to MS-LSAD 2.2.53 in the future
> release.
>    "AuthenticationOptions  contains optional flags that affect
> validations preformed during authentication.  The only flag currently
> defined is POLICY_KERBEROS_VALIDATE_CLIENT(0x00000080).    When the
> POLICY_KERBEROS_VALIDATE_CLIENT flag is set, during a TGS request, the
> KDC will check the client account for account restriction if the
> client account is in the local domain *and* the client was
> authenticated more than 20 minutes ago. "
>    Please let us know if you need further clarification.

That looks good, thanks!

With that clue, think you need to add a cross-reference to
AUTH_REQ_VALIDATE_CLIENT in MS-KILE.  If they are the same flag, it
would be great if the names could be lined up.


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080830/1ca14929/attachment-0001.bin

More information about the cifs-protocol mailing list