[cifs-protocol] Re: [Pfif] How are 'supported enc types' determined in trusts? - 600253

Andrew Bartlett abartlet at samba.org
Mon Sep 8 22:38:44 GMT 2008

On Mon, 2008-09-08 at 16:35 +0200, Stefan (metze) Metzmacher wrote:
> Richard Guthrie schrieb:
> > Andrew,
> > 
> > If you have a windows 2008 server acting as a member server in a
> downlevel domain (for this discussion we will assume 2003 functional
> level), this attribute will only exist if you extend the schema to a
> level that is compatible with 2008 functional level.  This is a normal
> step as part of an upgrade from Windows 2000 -> 2003 or Windows 2003
> -> 2008.  The following kb article describes this process in more
> detail http://technet.microsoft.com/en-us/library/cc773360.aspx.
> > 
> > It will show up in the schema for computer accounts as well as being
> an attribute on objects where objectClass == trustedDomain.  It does
> not matter if the domain controller is still Windows 2003, the
> computer account and TDO will have this attribute.  The value of this
> attribute will show up as 'Not Set' in a tool such as ADSIEdit (see
> attached msds-SupportedEncryptionTypes.zip).  This is the same as
> saying the attribute is null.  It will not be in use until the domain
> functional level is set to 2008.  Setting the functional level to 2008
> requires that all the domain controllers be upgraded to Windows Server
> 2008.  Schema version can be set independently of the functional level
> to facilitate seamless upgrade scenarios.

So, what is the value returned over LSA in this case?

> > As to your second question, this attribute value is not dependent on
> trust type/attribute flags. It also will not have a value unless
> someone explicitly sets it.  In the case of computer accounts this
> attribute is set by netlogon during secure channel initiation.
> Can you explain that process a bit further, please?

Indeed.  I didn't actually ask about computer account enctype
negotiation, as you raise it, this is an area I do need clarified.

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080909/7f0c6d69/attachment.bin

More information about the cifs-protocol mailing list