[cifs-protocol] Backing store and policy application information for MS-APDS

Andrew Bartlett abartlet at samba.org
Tue Sep 9 12:20:53 GMT 2008

I have previously asked for information to be added to MS-NRPC to detail
the currently abstract backing store for user and trust accounts.
However, it happens that the normal SamLogon processing is mostly
described in MS-APDS (for some reason).

What I'm looking for is a specific description of what attributes
(unicodePwd, dbcsPwd) are used for validating the password, what
attributes (pwdLastSet, userAccountControl etc) are used (and how they
are used) to check policy and then what attributes are used to construct

I need this because I must construct the same reply as a Microsoft DC
that I might share a domain using DRS replication with. 

The current text in is:

> The domain controller MUST compare the local copy of the password to the one sent in the request.
> If there is a successful match, the domain controller MUST return data with ValidationInformation
> containing either a reference to NETLOGON_VALIDATION_SAM_INFO4 ([MS-NRPC] section
>, if the ValidationLevel in the request is NetlogonValidationSamInfo4 or a reference to
> NETLOGON_VALIDATION_SAM_INFO2 ([MS-NRPC] section, if the ValidationLevel in the
> request is NetlogonValidationSamInfo2). If there is not a match, the DC MUST return the failure
> error code STATUS_WRONG_PASSWORD (section 2.2) with no response data.<15>

(Just to put this into context, this needs a long-term answer and doc
change, not a 'hot fix'). 


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080909/54c3c776/attachment.bin

More information about the cifs-protocol mailing list