[cifs-protocol] Handling of passwords in LSA CreateTrustedDomainInfoEx2

Andrew Bartlett abartlet at samba.org
Tue Aug 30 06:54:13 MDT 2011

In CreateTrustedDomainInfoEx2


I'm wondering if I could get an expansion on:

AuthenticationInformation: A structure containing authentication
information for the trusted domain. The server first MUST decrypt this
data structure using an algorithm (as specified in section 5.1.1) with
the key being the session key negotiated by the transport. The server
then MUST unmarshal the data inside this structure and then store it
into a structure whose format is specified in section This
structure MUST then be stored on Trust Incoming and Outgoing Password

In particular, what elements become assigned to "trustAuthIncoming" and

Is the element stored 'as sent', or is it processed to add a version

Can the client send the previousAuthentication details, or is that
maintained by the server?

In LsarSetInformationTrustedDomain

Does the client or the server maintain the previous password and version
information in the blob in the "trustAuthIncoming"?


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the cifs-protocol mailing list