[cifs-protocol] 600606 RE: How are disabled accounts handled in SNTP
Richard Guthrie
rguthrie at microsoft.com
Wed Jul 2 14:30:50 GMT 2008
Andrew,
I have completed my research with respect to NetrServerAuthenticate3. Your original question was around whether there any other methods other than NetrServerAuthenticate3 that return the RID of the authenticated account in a thread on MS-SNTP. With respect to MS-SNTP and the Windows Time Service , it starts account authentication with a call to NetrLogonGetTrustRid. The documentation discusses the Netlogon method NetrLogonGetTrustRid (http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-SNTP%5D.pdf) in section 1.5.2 of the current doc set.
This method under the covers makes a call to NetrServerAuthenticate3 in the case where the time service is located on a member server. Details of NetrServerAuthenticate3 can be found here (http://msdn.microsoft.com/en-us/library/cc208186.aspx). The RID is retrieved as a return value from establishment of a session key used for the secure channel.
If however the time service is located on a DC that is in the domain of the account to be authenticated, NetrLogonGetTrustRid looks at the local SAM database to get the account and its associated RID. There never is a call to NetrServerAuthenticate3 in this case.
I have requested that the MS-NRPC documentation (section 3.5.4.7.1), be updated to reflect this and will let you know the results of that investigation. Does this answer your question?
Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted
-----Original Message-----
From: Richard Guthrie
Sent: Friday, June 27, 2008 4:57 PM
To: Andrew Bartlett
Subject: RE: How are disabled accounts handled in SNTP
Andrew,
I think this is the method you are referring to NetrServerAuthenticate3 (http://msdn.microsoft.com/en-us/library/cc208186.aspx) when you say ServerAuthenticate3. Can you confirm for me? I just did not want to go down the wrong path.
Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com
We're hiring
________________________________________
From: Andrew Bartlett [abartlet at samba.org]
Sent: Thursday, June 26, 2008 6:58 PM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: How are disabled accounts handled in SNTP
On Thu, 2008-06-26 at 08:50 -0700, Richard Guthrie wrote:
> We are not able to find API ServerAuthenticate3 in our API set. We think you were referring to the process described in section 1.5.2 of the [MS-SNTP] document, is that correct?
As stated below, this is a NETLOGON API. As an outside observer,
Windows clients appear to use the extended ServerAuthenticate3 netlogon
call because it returns the RID, used for this protocol.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
More information about the cifs-protocol
mailing list