[cifs-protocol] Handling of passwords in LSA CreateTrustedDomainInfoEx2

Josh Curry Josh.Curry at microsoft.com
Tue Aug 30 08:57:31 MDT 2011

Hi Andrew, thank you for your question. Someone from the Open Specifications team will respond to you soon.

Josh Curry | Escalation Engineer | US-CSS Developer Support Core (DSC) Protocol Team
P +1 469 775 7215 
One Microsoft Way, 98052, Redmond, WA, USA http://support.microsoft.com

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, August 30, 2011 7:54 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at cifs.org
Subject: Handling of passwords in LSA CreateTrustedDomainInfoEx2

In CreateTrustedDomainInfoEx2


I'm wondering if I could get an expansion on:

AuthenticationInformation: A structure containing authentication information for the trusted domain. The server first MUST decrypt this data structure using an algorithm (as specified in section 5.1.1) with the key being the session key negotiated by the transport. The server then MUST unmarshal the data inside this structure and then store it into a structure whose format is specified in section This structure MUST then be stored on Trust Incoming and Outgoing Password properties.

In particular, what elements become assigned to "trustAuthIncoming" and "trustAuthOutgoing"

Is the element stored 'as sent', or is it processed to add a version field?  

Can the client send the previousAuthentication details, or is that maintained by the server?

In LsarSetInformationTrustedDomain

Does the client or the server maintain the previous password and version information in the blob in the "trustAuthIncoming"?


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the cifs-protocol mailing list