[cifs-protocol] RE: [Pfif] How are 'supported enc types' determined
in trusts? - 600253
rguthrie at microsoft.com
Wed Oct 15 14:24:41 GMT 2008
I wanted to follow up on our discussion around msds-supportedEncryptionTypes. Taking the call LsarQueryInfoTrustedDomain, this call will return STATUS_INVALID_PARAMETER (0xC000000D) if the domain controller that services the call is a windows 2003 domain controller.
If the domain controller is a Windows 2008 domain controller then it will return STATUS_SUCCESS (0x00000000) with the value of that attribute. The range of possible values are defined in MS-LSAD 2.2.64 TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES.
Please let me know if there are any further questions.
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: rguthrie at microsoft.com
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, September 08, 2008 5:39 PM
To: Stefan (metze) Metzmacher
Cc: Richard Guthrie; pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: [Pfif] How are 'supported enc types' determined in trusts? - 600253
On Mon, 2008-09-08 at 16:35 +0200, Stefan (metze) Metzmacher wrote:
> Richard Guthrie schrieb:
> > Andrew,
> > If you have a windows 2008 server acting as a member server in a
> downlevel domain (for this discussion we will assume 2003 functional
> level), this attribute will only exist if you extend the schema to a
> level that is compatible with 2008 functional level. This is a normal
> step as part of an upgrade from Windows 2000 -> 2003 or Windows 2003
> -> 2008. The following kb article describes this process in more
> detail http://technet.microsoft.com/en-us/library/cc773360.aspx.
> > It will show up in the schema for computer accounts as well as being
> an attribute on objects where objectClass == trustedDomain. It does
> not matter if the domain controller is still Windows 2003, the
> computer account and TDO will have this attribute. The value of this
> attribute will show up as 'Not Set' in a tool such as ADSIEdit (see
> attached msds-SupportedEncryptionTypes.zip). This is the same as
> saying the attribute is null. It will not be in use until the domain
> functional level is set to 2008. Setting the functional level to 2008
> requires that all the domain controllers be upgraded to Windows Server
> 2008. Schema version can be set independently of the functional level
> to facilitate seamless upgrade scenarios.
So, what is the value returned over LSA in this case?
> > As to your second question, this attribute value is not dependent on
> trust type/attribute flags. It also will not have a value unless
> someone explicitly sets it. In the case of computer accounts this
> attribute is set by netlogon during secure channel initiation.
> Can you explain that process a bit further, please?
Indeed. I didn't actually ask about computer account enctype negotiation, as you raise it, this is an area I do need clarified.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
More information about the cifs-protocol