[cifs-protocol] How to determine if an account should use AES?
Sebastian Canevari
Sebastian.Canevari at microsoft.com
Mon Aug 24 17:33:47 MDT 2009
Hi Matthieu and Andrew,
I am looking into this and will update you as soon as I have news.
Thanks!
Sebastian
Sebastian Canevari
Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
7100 N Hwy 161, Irving, TX - 75039
"Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: sebastc at microsoft.com
-----Original Message-----
From: Matthieu Patou [mailto:mat at matws.net]
Sent: Monday, August 24, 2009 5:22 PM
To: Andrew Bartlett
Cc: Sebastian Canevari; pfif at tridgell.net; cifs-protocol at samba.org; Interoperability Documentation Help
Subject: Re: [cifs-protocol] How to determine if an account should use AES?
Hello Sebastian,
I'm coming back to you on this subject.
Last week I made tests with one of the newsest version of samba4 which
tries to pretend to be have a windows 2008 forest/domain and dc
compatibility level.
And I didn't noticed any request from a windows 2008 acting as a client
of my S4 domain.
It raise a few possibilities but two are most probable:
1) S4 is not behaving like windows 2008 enough so that client thinks
that it is not a real windows 2008 and so it don't send this attibute.
2) This attribute is not sent by the client it's just the server that
based on some algorithm (ie. if os.version >=6.0 and os.name contains
"Windows" then set msDS-SupportedEncryptionType)
Can you indicate us if one of the two possibilities are the right one.
If not please indicate the correct one.
If yes please do not forget for the case 1 to indicate what exactly
trigger the sending of this attribute (or what block the transmission)
or if it's case 2 then give us the good algorithm.
In any case I can only reiterate the request of Andrew about pcap
formatted network trace with packets which are significant (ie those
holding this attribute).
Best regards.
Matthieu Patou.
On 08/20/2009 02:16 AM, Andrew Bartlett wrote:
> On Wed, 2009-08-19 at 09:41 -0700, Sebastian Canevari wrote:
>> Hi Andrew,
>>
>> The msDS-SupportedEncryptionTypes attribute is populated at object creation time by the subjects that support the property.
>
> So it is modified over LDAP by the Windows Vista (for example) domain
> member?
>
>> It is also updated whenever there's a change on the object's
>> configuration that require an update of the property.
>
> So if the domain member upgrades, it is expected to reach out and update
> this property using LDAP?
>
> Are there any ACL considerations to be aware of here? Are there any
> other restrictions on the values clients might populate here?
>
>> Meaning that when a subject changes the type of encryption it
>> supports, it modifies this attribute to reflect the change.
>
> Any chance you can provide an annotated (ie, with a separate document
> mentioning frame numbers) PCAP-formatted example network trace and
> documentation references to support this? I would really like to pin
> this down firmly before the next alpha, now that I've turned on the
> Windows 2008 functional level and therefore AES encryption in our DC.
>
> Thanks,
>
> Andrew Bartlett
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at cifs.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol
More information about the cifs-protocol
mailing list