[cifs-protocol] RE: KVNO of trusts

Andrew Bartlett abartlet at samba.org
Fri Oct 3 17:04:29 GMT 2008

On Thu, 2008-10-02 at 09:17 -0700, John Dunning wrote:
> Hello Andrew,
> We have concluded our investigation regarding this issue.
> Question: "How do I determine what Key Version Number (kvno) to assign to trusted domain entities in the KDC?"
> Answer:
> The key version number of the trust password for a trust object is set
> by  making a LsarSetTrustedDomainInfoByName ([MS-LSAD] section
>  request when the trust is created. It is incremented by 1
> each time the trust password is changed. The key version number can be
> determined at any time by making an LsarQueryTrustedDomainInfoByName
> request or parsing the trustAuthInfoIncoming/trustAuthInfoOutgoing
> attributes  using the information provided in MS-ADTS section
> and looking for an LSAPR_AUTH_INFORMATION structure with
> AuthType equal to  TRUST_AUTH_TYPE_VERSION (3).

Great.  What is the kvno if the client does not provide one in that
structure, when it initially calls CreateTrustedDomainEx?  (I think it
is -1)

> A change will be made to the [MS-ADA2]document section 2.235 Attribute msDS-KeyVersionNumber which will be similar to the following:
>       2.235 Attribute msDS-KeyVersionNumber
> For a given  user, computer or built-in account, this attribute
> specifies the Kerberos version number of the current key for that
> account. The Kerberos key version number for trusts is stored in the
> trusted domain object (TDO) whose object class is trustedDomain

Can i suggest a slight rewording:

For a trusted domain (objectClass trustedDomain), the Kerberos key
version number is stored in the trusted domain object (TDO), embedded in
the trustAuthIncoming and trustAuthOutgoing attributes. 

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20081003/23093a86/attachment.bin

More information about the cifs-protocol mailing list