[cifs-protocol] How to determine if an account should use AES?

Andrew Bartlett abartlet at samba.org
Wed Aug 19 16:16:26 MDT 2009

On Wed, 2009-08-19 at 09:41 -0700, Sebastian Canevari wrote:
> Hi Andrew,
> The msDS-SupportedEncryptionTypes attribute is populated at object creation time by the subjects that support the property. 

So it is modified over LDAP by the Windows Vista (for example) domain

> It is also updated whenever there's a change on the object's
> configuration that require an update of the property. 

So if the domain member upgrades, it is expected to reach out and update
this property using LDAP?

Are there any ACL considerations to be aware of here?  Are there any
other restrictions on the values clients might populate here?

> Meaning that when a subject changes the type of encryption it
> supports, it modifies this attribute to reflect the change.

Any chance you can provide an annotated (ie, with a separate document
mentioning frame numbers) PCAP-formatted example network trace and
documentation references to support this?  I would really like to pin
this down firmly before the next alpha, now that I've turned on the
Windows 2008 functional level and therefore AES encryption in our DC. 


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20090820/b4d95493/attachment.pgp>

More information about the cifs-protocol mailing list