[cifs-protocol] format of password attributes in AD

Richard Guthrie rguthrie at microsoft.com
Thu Jun 12 15:38:04 GMT 2008


I wanted to ensure I understand your question so please validate the following:

The MS-ADTS document, section Extended Access checks is missing information that describes the format of the attributes listed in the table.  Your question relates to syncing these attributes via Directory Replication as described in MS-DRSR.  The table indicates "Access is never granted." What is the format of these attributes when synced via DRS?

Is this a correct interpretation of your question?

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, June 09, 2008 6:14 PM
To: Richard Guthrie
Cc: Interoperability Documentation Help; pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: [cifs-protocol] format of password attributes in AD

On Mon, 2008-06-09 at 11:36 -0700, Richard Guthrie wrote:
> Andrew,
> I have been tasked with working on this issue and will be sending you
> another mail shortly with a summary of the questions I think you are
> asking.  Is this issue a blocking issue for you or are you able to
> work around it?

It is blocking us deploying an KDC supporting AES, as we want to ensure
we can import AES keys from windows.   (We don't maintain a seperate
'native' format for these keys, we just use the supplementaryCredentials).

I'm trying to determine it by examining attribute examples over DRS, but I need to beat up Win2008 some more before I get DRS working to it :-)

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list