[cifs-protocol] RE: How are 'supported enc types' determined in trusts? - 600253

Mon Sep 8 14:09:39 GMT 2008

Andrew,

If you have a windows 2008 server acting as a member server in a downlevel domain (for this discussion we will assume 2003 functional level), this attribute will only exist if you extend the schema to a level that is compatible with 2008 functional level.  This is a normal step as part of an upgrade from Windows 2000 -> 2003 or Windows 2003 -> 2008.  The following kb article describes this process in more detail http://technet.microsoft.com/en-us/library/cc773360.aspx.

It will show up in the schema for computer accounts as well as being an attribute on objects where objectClass == trustedDomain.  It does not matter if the domain controller is still Windows 2003, the computer account and TDO will have this attribute.  The value of this attribute will show up as 'Not Set' in a tool such as ADSIEdit (see attached msds-SupportedEncryptionTypes.zip).  This is the same as saying the attribute is null.  It will not be in use until the domain functional level is set to 2008.  Setting the functional level to 2008 requires that all the domain controllers be upgraded to Windows Server 2008.  Schema version can be set independently of the functional level to facilitate seamless upgrade scenarios.

As to your second question, this attribute value is not dependent on trust type/attribute flags. It also will not have a value unless someone explicitly sets it.  In the case of computer accounts this attribute is set by netlogon during secure channel initiation.  In the case of TDOs it must be explicitly set by and administrator.

Please let us know if you have further questions regarding this issue.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, August 26, 2008 5:09 PM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: How are 'supported enc types' determined in trusts? - 600253

On Tue, 2008-08-26 at 15:05 -0700, Richard Guthrie wrote:
> Andrew, I will be working with you regarding this issue.  I wanted to
> clarify your statement regarding downlevel domain.  Are you referring
> to a windows 2008 server acting as a domain controller in a downlevel
> domain?  I will get back to you shortly once I have completed my
> research.

Yeah, I'm imagining any situation where the Windows 2008 codebase would need to operate without that attribute in the backing store.  I presume this would occur if it were part of a Win2k3 level domain, for example.

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: msds-SupportedEncryptionTypes.zip
Type: application/x-zip-compressed
Size: 160416 bytes
Desc: msds-SupportedEncryptionTypes.zip
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080908/8085e899/msds-SupportedEncryptionTypes-0001.bin