[cifs-protocol] RE: KVNO of trusts
johndun at microsoft.com
Thu Oct 2 16:17:04 GMT 2008
We have concluded our investigation regarding this issue.
Question: "How do I determine what Key Version Number (kvno) to assign to trusted domain entities in the KDC?"
The key version number of the trust password for a trust object is set by making a LsarSetTrustedDomainInfoByName ([MS-LSAD] section 18.104.22.168.6) request when the trust is created. It is incremented by 1 each time the trust password is changed. The key version number can be determined at any time by making an LsarQueryTrustedDomainInfoByName request or parsing the trustAuthInfoIncoming/trustAuthInfoOutgoing attributes using the information provided in MS-ADTS section 22.214.171.124.1 and looking for an LSAPR_AUTH_INFORMATION structure with AuthType equal to TRUST_AUTH_TYPE_VERSION (3).
A change will be made to the [MS-ADA2]document section 2.235 Attribute msDS-KeyVersionNumber which will be similar to the following:
2.235 Attribute msDS-KeyVersionNumber
For a given user, computer or built-in account, this attribute specifies the Kerberos version number of the current key for that account. The Kerberos key version number for trusts is stored in the trusted domain object (TDO) whose object class is trustedDomain
systemFlags: FLAG_SCHEMA_BASE_OBJECT | FLAG_ATTR_IS_CONSTRUCTED
Version-Specific Behavior: Implemented on Windows Server 2003, Windows Server 2003 R2, and Windows Server 2008.
The schemaFlagsEx attribute was added to this attribute definition in Windows Server 2008.
Please let me know if this fully answers this issue.
Senior Escalation Engineer Microsoft Corporation
US-CSS DSC PROTOCOL TEAM
Email: johndun at microsoft.com
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, September 02, 2008 11:13 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: KVNO of trusts
How do I determine what Key Version Number (kvno) to assign to trusted domain entities in the KDC?
For normal users, we have msDS-KeyVersionNumber, but as per our previous discussions, trusts do not need cn=user type objects for interoperability (I point I dispute, but regardless). So, what is the source of the key version number for these principals?
(Is it the 'for NETLOGON use' version number in the trustAuthIncoming and trustAuthOutgoing attributes, for example?)
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
More information about the cifs-protocol