[cifs-protocol] of SupportedEncTypes and msDS-SupportedEncryptionTypes
Matthieu Patou
mat+Informatique.Samba at matws.net
Sun Dec 20 05:01:26 MST 2009
Hello,
Back in august and september we discuss in case SRX090808600017 about
supportedEncTypes and I was quite happy with your answer.
I'm coming back on this subject for two details:
* this blog entry (of msdn)
http://blogs.msdn.com/openspecification/archive/2009/09/12/msds-supportedencryptiontypes-episode-1-computer-accounts.aspx
says :" Although this attribute is present in all the computer objects
of the domain regardless of the version of the OS the physical machines
have installed, not all of them are aware of its existence hence, older
versions (2003 and earlier) do not populate it at any time." It means
that when I join a w2k8 domain with a XP workstation that the DC will
create a computer object for this XP workstation and set the
msDS-SupportedEncryptionTypes attribute ? if so to which value ? On my
tests when I join a w2k3 server to a w2k8 domain the attribute
SupportedEncryptionTypes is not set. Can this point be clarified and if
possible written in a formal document
This entry also state: "
When the KDC checks the attribute to decide what encryption algorithm to
use in order to encrypt the ticket, it could find basically two scenarios:
1) The attribute is populated
2) The attribute is empty
If the attribute is populated, then the deal is done since the KDC can
determine the best common algorithm to encrypt the ticket with the value
present.
However, if the attribute is empty then the KDC will have to work harder
being the next step to check another attribute. This attribute is
defined in MS-ADA3 (section 2.341) and described in MS-ADTS (section
2.2.15) and it’s called userAccountControl. This attribute is also a 4
byte Bit Mask that defines many aspects of the account but the only one
the KDC is interested in is the DK (ADS_UF_USE_DES_KEY_ONLY ) bit.
This bit defines what legacy encryption method will be used:
1) If the bit is set, then only DES will be used
2) If the bit is NOT set, then DES and RC4 can be used
This check is especially relevant in domains that have Win7 and Windows
Server 2008 R2 machines joined because those two newer OSs disable their
bit by default so older DES is not an option for them."
* What is the exact meaning of ADS_UF_USE_DES_KEY_ONLY ? if a w2k8
server acting as a domain member within a w2k8 domain has this DK bit
set, will the DC not use AES but only DES with it ?
* "This check is especially relevant in domains that have Win7 and
Windows Server 2008 R2 machines joined because those two newer OSs
disable their bit by default so older DES is not an option for them.",
well it seems that a w2k3 server member of w2k8 domain do not have this
bit set also (userAccountControl=4096 => only WT flag set).
* Also neither MS-LSAD nor MS-NRPC talk about the link between the
attribute msDS-SupportedEncryptionTypes stored in the AD and the fact
that it's returned as SupportedEncTypes in NETLOGON_DOMAIN_INFO call.
I can understand that it can be called "secret" of implementation but
when after a workstation tries to update this attribute to let the DC
know what are the supported encoding it's better to clarify the link.
Thank you for help with clarifying those points.
Matthieu.
More information about the cifs-protocol
mailing list