[cifs-protocol] RE: Trusted domains and NETLOGON

Richard Guthrie rguthrie at microsoft.com
Tue Oct 21 16:04:08 GMT 2008 

Andrew,

We have completed our research with respect to NetrServerAuthenticate3.  Your question revolved around which active directory attribute is used to respond to this request and also how the passed in AccountName parameter is used.  This method, NetrServerAuthenticate3 queries the trusted domain object using the value in the AccountName field.  We have modified the documentation in section 3.5.4.3.2 with respect to AccountName to account for the trailing dot observed on this value as follows:

AccountName:  A null-terminated Unicode string that identifies the name of the account that contains the secret key (password) that is shared between the client and the server, as specified in section 1.5.<143>  If there is a period "." at the end of the account name, that is ignored during processing.

As the documentation states for NetrServerAuthenticate3, SecureChannelType indicates the type of secure channel being established.  This value is defined in section 2.2.1.3.12 and to tie this in with how NetrServerAuthenticate3 uses this enumeration, we have modified the text for TrustedDnsDomainSecureChannel as follows:

TrustedDnsDomainSecureChannel:  A secure channel between two DCs, connected through a trust relationship created between two Windows 2000 Server or Windows Server 2003 domains. A Trusted Domain Object (TDO) is used in this type of channel. See 7.1.6.7 "Essential Attributes of a Trusted Domain Object" in [MS-ADTS] for information about TDO.

By doing so this should make it clearer to the reader that the credentials returned map to the TDO.  The RID returned is for the account used in the TDO.

Please let us know if you have further questions or comments.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: rguthrie at microsoft.com

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, September 30, 2008 7:27 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: Trusted domains and NETLOGON

On Tue, 2008-09-30 at 15:32 -0700, Andrew Bartlett wrote:
> In MS-NRPC 3.5.4.3.2 it states:
> AccountName: A null-terminated Unicode string that identifies the name of the account that
>   contains the secret key (password) that is shared between the client and the server, as
>   specified in section 1.5.<157>
>
> windows behaviour note 157 then notes:
>
> <157> Section 3.5.4.3.2: In Windows, all machine account names are the
> name of the machine with a "$" (dollar sign) appended.
>
> However when Windows 2003 joins as a trusted domain, it issues a ServerAuthenticate3 with 'Account Name == w2k3native.net.'
>
> (ie, no trailing $, and not a normal account)

So, what I'm looking for is what object in the directory should I enquire of to find the password to use and how should I find it (ie, search on what scope for what attribute, presumably without the trailing
dot).   I presume I'll have to find the trust account under cn=system,
but this is unclear.

Andrew Bartlett
--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

More information about the cifs-protocol mailing list