[cifs-protocol] RE: 600146 RE: How are disabled accounts handled in SNTP

Richard Guthrie rguthrie at microsoft.com
Tue Jul 22 21:52:09 GMT 2008


I have completed my research with respect to which object classes are able to make an authenticated call to a SNTP server.  In a windows environment this includes objects in active directory with an object class equal to computer or user.  Objects of type user show up in the scenario in which you are making a call to a time server in another domain or another forest where there exist a trust relationship between either the two domains or the two forest.  In this case the trust account will be used.

Let us know if you have any further questions.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, June 24, 2008 6:04 PM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: 600146 RE: How are disabled accounts handled in SNTP

On Mon, 2008-06-23 at 08:48 -0700, Richard Guthrie wrote:
> Andrew,
> I have completed my research with regard to question 4.  The
> authenticated SNTP request uses RID's of trusted accounts. There is
> nothing in the protocol to exclude non-computer objects, or using
> RID's of accounts which are disabled or not able to log in.

so, this is objects with objectClass=?

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list