[cifs-protocol] What are the POLICY_DOMAIN_KERBEROS_TICKET_INFO flags?

Hongwei Sun hongweis at microsoft.com
Wed Sep 3 19:54:14 GMT 2008


   Thanks for your suggestion.   We will add  the information about AuthenticationOptions  to [MS-KILE]  and then create a cross reference in [MS-LSAD].   We will also keep the names consistent among documents ([MS-KILE] and [MS-LSAD]) because they are basically for the same purpose.

   We appreciate your help to improve the protocol documents.


Hongwei  Sun - Sr. Support Escalation Engineer
DSC Protocol  Team, Microsoft
hongweis at microsoft.com
Tel:  469-7757027 x 57027

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Friday, August 29, 2008 5:15 PM
To: Hongwei Sun
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: [cifs-protocol] What are the POLICY_DOMAIN_KERBEROS_TICKET_INFO flags?

On Fri, 2008-08-29 at 14:27 -0700, Hongwei Sun wrote:
> Andrew,
>   We completed the investigation for your questions.  The following is
> the information that will be added to MS-LSAD 2.2.53 in the future
> release.
>    "AuthenticationOptions  contains optional flags that affect
> validations preformed during authentication.  The only flag currently
> defined is POLICY_KERBEROS_VALIDATE_CLIENT(0x00000080).    When the
> POLICY_KERBEROS_VALIDATE_CLIENT flag is set, during a TGS request, the
> KDC will check the client account for account restriction if the
> client account is in the local domain *and* the client was
> authenticated more than 20 minutes ago. "
>    Please let us know if you need further clarification.

That looks good, thanks!

With that clue, think you need to add a cross-reference to AUTH_REQ_VALIDATE_CLIENT in MS-KILE.  If they are the same flag, it would be great if the names could be lined up.


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list