[cifs-protocol] RE: How are disabled accounts handled in SNTP

Andrew Bartlett abartlet at samba.org
Wed Jun 11 01:12:11 GMT 2008

On Tue, 2008-06-10 at 11:52 -0700, Richard Guthrie wrote:
> Andrew,
> In response to question 1, 2 & 3 involving the MS-SNTP document, section 3.2.5 specifies the following:
> If the server fails to retrieve the cryptographic keys or to compute the crypto-checksum, the server SHOULD<16> fail the authentication and ignore the request without responding.
> Note 16 further clarifies the behavior of a couple of flavors of the server operating system as:
> <16> Section 3.2.5: Windows NTP servers in Windows 2000, Windows XP, and Windows Server 2003 do not honor the above "SHOULD". Instead, they respond to the request. In Windows 2000, the server responds with a Server NTP Response message without an Authenticator field if authentication fails. In Windows XP and Windows Server 2003, the server responds with a Server NTP Response message that includes an Authenticator field in which the Crypto-Checksum subfield is set to zero.
> In Windows Server 2008, in the case of the read-only domain controller (RODC) as the server, if the RODC does not store the cryptographic key locally, the server validates the RID. If the RID identifies a valid object, the server forwards the original Client NTP Request message to its own time source, which must be a writable domain controller. The writable domain controller that has the cryptographic key authenticates the client's request instead. On receiving the response from the writable domain controller, the RODC forwards the response to the client. This process is known as "chaining". If the RID is not identified as a valid object, the server fails the authentication and ignores the request without responding.
> In addition you can reference section of the MS-NRPC
> documentation which discusses invalid accounts or accounts that could
> not be found.  This covers what the response should look like when
> authentication fails which I think answers question 3 and the behavior
> when the account is disabled.

As alternate implementations do not need to call
NetrLogonComputeServerDigest (nor is this referenced in the spec) can
you please move or reference the discussion of how accounts are
described as 'invalid' to the SNTP doc?

> Let me know if closes these issues.

As it appears the only control is on accounts marked disabled, the
security section needs to detail the attacks that should be considered
against accounts that are expired or otherwise unavailable, but not
marked 'disabled'.  (Unless of course machine accounts are not subject
to such restrictions, in which case it should be clarified). 

Regardless (but perhaps you are dealing with this separately) the issue
of offline password attacks needs to be considered in the security

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080611/d7d8878f/attachment-0001.bin

More information about the cifs-protocol mailing list