[cifs-protocol] RE: LSA and trusted domains overview (SRX080902600070)

Bill Wesse billwe at microsoft.com
Mon Nov 10 18:58:39 GMT 2008

Hello Andrew - I agree with you totally, and can't thank you enough for the questions you listed.

So, given the scope of what needs to be accomplished here - and who should perform the work - we have brought a number of internal parties into deciding precisely that. At this time, I cannot hazard a guess as to how much of this will be part of our in-progress system documents, or how much will be authored in my group, and how much in documentation development.

I do, however, expect this will be resolved within the next week, and I will notify you as soon as the determination is made.

Bill Wesse
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Sunday, November 09, 2008 6:06 PM
To: Bill Wesse
Cc: 'pfif at tridgell.net'; 'cifs-protocol at samba.org'
Subject: RE: LSA and trusted domains overview (SRX080902600070)

On Fri, 2008-11-07 at 09:05 -0800, Bill Wesse wrote:
> Good morning again Andrew. I have (once again) attached the latest
> copy of the document. This document will not be part of the protocol
> documentation set.
> Aside from the unencrypted versions of the network frames in the
> document (which I will get to as soon as I can), I would like to know
> if I have answered all of your questions - and where I may have missed
> the target.

Sadly, this is way off target.  I meant it when I said it was a good start - this is the first chapter, not the complete reference.

A trusted domain relationship exists to be used - I need to have a clear overview of how authentication and other information flows between trusted domains.  Is DRS synchronisation used?  How is it used and between what trust types?  How does a domain know which other domain to contact about an attempted login with a user principal name?  How are the transitive trust relationships followed to allow access to a resource in some far-away domain?  When a user (from a trusted domain) is added to a security descriptor, how is that name resolved?  What purpose does the global catalog take in trusted domain environments and how is it consulted when dealing with inter-forest trusts?

These are just some of the questions I would expect an overview of trusted domains to show (with links to the explicit details of calls, but 200 pages of packet captures isn't a substitute for real detail).

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list