[cifs-protocol] RE: KVNO of trusts
John Dunning
johndun at microsoft.com
Wed Oct 8 16:31:20 GMT 2008
Hello Andrew,
Thank you for your rewording suggestion. I have passed this information on to my Product Team.
I also have an answer to your question:
"What is the kvno if the client does not provide one in that structure, when it initially calls CreateTrustedDomainEx? (I think it is -1)?"
Answer:
If TRUST_AUTH_TYPE_VERSION is missing, the key version # for that trust key in Kerberos protocol is not filled. In such a case, the Windows Kerberos will ignore the missing key version # field.
The key version (and the TRUST_AUTH_TYPE_VERSION field) is always present in Microsoft implementations to maximize interoperability.
Please let me know if this fully answers this question.
Thanks
John Dunning
Senior Escalation Engineer Microsoft Corporation
US-CSS DSC PROTOCOL TEAM
Email: johndun at microsoft.com
Tele: (469)775-7008
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Friday, October 03, 2008 12:04 PM
To: John Dunning
Cc: Interoperability Documentation Help; pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: KVNO of trusts
On Thu, 2008-10-02 at 09:17 -0700, John Dunning wrote:
> Hello Andrew,
>
> We have concluded our investigation regarding this issue.
>
> Question: "How do I determine what Key Version Number (kvno) to assign to trusted domain entities in the KDC?"
>
> Answer:
> The key version number of the trust password for a trust object is set
> by making a LsarSetTrustedDomainInfoByName ([MS-LSAD] section
> 3.1.4.7.6) request when the trust is created. It is incremented by 1
> each time the trust password is changed. The key version number can be
> determined at any time by making an LsarQueryTrustedDomainInfoByName
> request or parsing the trustAuthInfoIncoming/trustAuthInfoOutgoing
> attributes using the information provided in MS-ADTS section
> 7.1.6.9.1 and looking for an LSAPR_AUTH_INFORMATION structure with
> AuthType equal to TRUST_AUTH_TYPE_VERSION (3).
Great. What is the kvno if the client does not provide one in that structure, when it initially calls CreateTrustedDomainEx? (I think it is -1)
> A change will be made to the [MS-ADA2]document section 2.235 Attribute msDS-KeyVersionNumber which will be similar to the following:
>
> 2.235 Attribute msDS-KeyVersionNumber For a given user,
> computer or built-in account, this attribute specifies the Kerberos
> version number of the current key for that account. The Kerberos key
> version number for trusts is stored in the trusted domain object (TDO)
> whose object class is trustedDomain
Can i suggest a slight rewording:
For a trusted domain (objectClass trustedDomain), the Kerberos key version number is stored in the trusted domain object (TDO), embedded in the trustAuthIncoming and trustAuthOutgoing attributes.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
More information about the cifs-protocol
mailing list