[cifs-protocol] How to determine if an account should use AES?
Sebastian.Canevari at microsoft.com
Wed Aug 19 10:41:57 MDT 2009
The msDS-SupportedEncryptionTypes attribute is populated at object creation time by the subjects that support the property. It is also updated whenever there's a change on the object's configuration that require an update of the property. Meaning that when a subject changes the type of encryption it supports, it modifies this attribute to reflect the change.
With regards of the NETLOGON_DOMAIN_INFO, I'll check with Obaid to see if I can be of any help.
Please let me know if this answer fully addresses your question.
Thanks and regards,
Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
7100 N Hwy 161, Irving, TX - 75039
"Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: sebastc at microsoft.com
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, August 18, 2009 1:01 AM
To: Sebastian Canevari
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: How to determine if an account should use AES?
On Fri, 2009-08-14 at 11:40 -0700, Sebastian Canevari wrote:
> Hi Andrew,
> I've been investigating this and I'm still discussing with the product group what would be the best way to better detail this process.
> As explained in the document, the KDC will rely on the AD property msDS-SupportedEncryptionTypes.
> Now, if the property is not populated by the server or service, then the KDC will default to RC4 which is the legacy type.
So, the outstanding question is: what would normally populate that attribute?
> With respect to the NETLOGON_DOMAIN_INFO, Matthieu is working with Obaid on that section and I believe Obaid is sending him his response shortly.
I have to say, I'm not the wiser from Obaid's answer. Sorry.
Perhaps you could spell it out a bit more clearly?
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
More information about the cifs-protocol