[cifs-protocol] RE: KVNO of trusts

Bill Wesse billwe at microsoft.com
Wed Sep 3 09:52:25 GMT 2008

Good morning Andrew. Thank you for your question! I have created a new case for this (info below); one of my colleagues will take ownership of this and contact you soon.

SRX080903600016  [MS-ADTS] kvno for trusted domain entities

Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606
We're Hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, September 03, 2008 12:13 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: KVNO of trusts

How do I determine what Key Version Number (kvno) to assign to trusted domain entities in the KDC?

For normal users, we have msDS-KeyVersionNumber, but as per our previous discussions, trusts do not need cn=user type objects for interoperability (I point I dispute, but regardless).  So, what is the source of the key version number for these principals?

(Is it the 'for NETLOGON use' version number in the trustAuthIncoming and trustAuthOutgoing attributes, for example?)


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list