[cifs-protocol] RE: KVNO of trusts
abartlet at samba.org
Fri Oct 3 17:04:29 GMT 2008
On Thu, 2008-10-02 at 09:17 -0700, John Dunning wrote:
> Hello Andrew,
> We have concluded our investigation regarding this issue.
> Question: "How do I determine what Key Version Number (kvno) to assign to trusted domain entities in the KDC?"
> The key version number of the trust password for a trust object is set
> by making a LsarSetTrustedDomainInfoByName ([MS-LSAD] section
> 184.108.40.206.6) request when the trust is created. It is incremented by 1
> each time the trust password is changed. The key version number can be
> determined at any time by making an LsarQueryTrustedDomainInfoByName
> request or parsing the trustAuthInfoIncoming/trustAuthInfoOutgoing
> attributes using the information provided in MS-ADTS section
> 220.127.116.11.1 and looking for an LSAPR_AUTH_INFORMATION structure with
> AuthType equal to TRUST_AUTH_TYPE_VERSION (3).
Great. What is the kvno if the client does not provide one in that
structure, when it initially calls CreateTrustedDomainEx? (I think it
> A change will be made to the [MS-ADA2]document section 2.235 Attribute msDS-KeyVersionNumber which will be similar to the following:
> 2.235 Attribute msDS-KeyVersionNumber
> For a given user, computer or built-in account, this attribute
> specifies the Kerberos version number of the current key for that
> account. The Kerberos key version number for trusts is stored in the
> trusted domain object (TDO) whose object class is trustedDomain
Can i suggest a slight rewording:
For a trusted domain (objectClass trustedDomain), the Kerberos key
version number is stored in the trusted domain object (TDO), embedded in
the trustAuthIncoming and trustAuthOutgoing attributes.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20081003/23093a86/attachment.bin
More information about the cifs-protocol