[cifs-protocol] RE: [Pfif] How are 'supported enc types' determined in trusts? - 600253

Richard Guthrie rguthrie at microsoft.com
Wed Oct 15 14:24:41 GMT 2008


I wanted to follow up on our discussion around msds-supportedEncryptionTypes.  Taking the call LsarQueryInfoTrustedDomain, this call will return STATUS_INVALID_PARAMETER (0xC000000D) if the domain controller that services the call is a windows 2003 domain controller.

If the domain controller is a Windows 2008 domain controller then it will return STATUS_SUCCESS (0x00000000) with the value of that attribute.  The range of possible values are defined in MS-LSAD 2.2.64 TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES.

Please let me know if there are any further questions.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: rguthrie at microsoft.com

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, September 08, 2008 5:39 PM
To: Stefan (metze) Metzmacher
Cc: Richard Guthrie; pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: [Pfif] How are 'supported enc types' determined in trusts? - 600253

On Mon, 2008-09-08 at 16:35 +0200, Stefan (metze) Metzmacher wrote:
> Richard Guthrie schrieb:
> > Andrew,
> >
> > If you have a windows 2008 server acting as a member server in a
> downlevel domain (for this discussion we will assume 2003 functional
> level), this attribute will only exist if you extend the schema to a
> level that is compatible with 2008 functional level.  This is a normal
> step as part of an upgrade from Windows 2000 -> 2003 or Windows 2003
> -> 2008.  The following kb article describes this process in more
> detail http://technet.microsoft.com/en-us/library/cc773360.aspx.
> >
> > It will show up in the schema for computer accounts as well as being
> an attribute on objects where objectClass == trustedDomain.  It does
> not matter if the domain controller is still Windows 2003, the
> computer account and TDO will have this attribute.  The value of this
> attribute will show up as 'Not Set' in a tool such as ADSIEdit (see
> attached msds-SupportedEncryptionTypes.zip).  This is the same as
> saying the attribute is null.  It will not be in use until the domain
> functional level is set to 2008.  Setting the functional level to 2008
> requires that all the domain controllers be upgraded to Windows Server
> 2008.  Schema version can be set independently of the functional level
> to facilitate seamless upgrade scenarios.

So, what is the value returned over LSA in this case?

> > As to your second question, this attribute value is not dependent on
> trust type/attribute flags. It also will not have a value unless
> someone explicitly sets it.  In the case of computer accounts this
> attribute is set by netlogon during secure channel initiation.
> Can you explain that process a bit further, please?

Indeed.  I didn't actually ask about computer account enctype negotiation, as you raise it, this is an area I do need clarified.

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list