[cifs-protocol] RE: Backing store and policy application information for MS-APDS

Edgar Olougouna edgaro at microsoft.com
Tue Sep 9 15:21:13 GMT 2008 

Andrew,

Thank you for your request concerning the [MS-APDS]. I have created a case for this (see info below); one of my colleagues will be in touch with you soon.

SRX080909600334 - ProtoDoc 99999: PFIF: [MS-APDS] Backing store and policy application information

Best regards,

Edgar A. Olougouna
Sr. SEE, DSC Protocol Team, Microsoft | Email: edgaro at microsoft.com, Tel: +1.469.775.7189 x 57189

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, September 09, 2008 7:21 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Backing store and policy application information for MS-APDS

I have previously asked for information to be added to MS-NRPC to detail the currently abstract backing store for user and trust accounts.
However, it happens that the normal SamLogon processing is mostly described in MS-APDS (for some reason).

What I'm looking for is a specific description of what attributes (unicodePwd, dbcsPwd) are used for validating the password, what attributes (pwdLastSet, userAccountControl etc) are used (and how they are used) to check policy and then what attributes are used to construct the NETLOGON_VALIDATION_SAM_INFO4.

I need this because I must construct the same reply as a Microsoft DC that I might share a domain using DRS replication with.

The current text in 3.1.5.1 is:

> The domain controller MUST compare the local copy of the password to the one sent in the request.
> If there is a successful match, the domain controller MUST return data
> with ValidationInformation containing either a reference to
> NETLOGON_VALIDATION_SAM_INFO4 ([MS-NRPC] section 3.5.4.4.1), if the
> ValidationLevel in the request is NetlogonValidationSamInfo4 or a
> reference to
> NETLOGON_VALIDATION_SAM_INFO2 ([MS-NRPC] section 3.5.4.4.1), if the
> ValidationLevel in the request is NetlogonValidationSamInfo2). If
> there is not a match, the DC MUST return the failure error code
> STATUS_WRONG_PASSWORD (section 2.2) with no response data.<15>

(Just to put this into context, this needs a long-term answer and doc change, not a 'hot fix').

Thanks,

Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list