[cifs-protocol] [REG: 111083054067588] RE: Handling of passwords in LSA CreateTrustedDomainInfoEx2
hongweis at microsoft.com
Wed Aug 31 14:37:00 MDT 2011
>Is the element stored 'as sent', or is it processed to add a version field?
ANS: After code review, I confirmed that AuthenticationInformation is decrypted into LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION (as specified in 126.96.36.199), then is just copied straightforwardly into the TrustAuthIncoming and TrustAuthOutgoing properties as specified 188.8.131.52.1 MS-ADTS. As you know, the LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION is a structure and TrustAuthIncoming and TrustAuthOutgoing properties are String(Octet), there are certainly some calculation for offsets required as per the layout of the properties, but there is no new field added when marshaling the structure to the octet string saved in the properties.
>Can the client send the previousAuthentication details, or is that maintained by the server?
ANS: Yes, the client can send the previousAuthentication for both incoming and outgoing AuthticationInformation through LsarCreateTrustedDomainEx2. If it is send, the server will save it to the previousAuthenticationInformation part of the property (184.108.40.206.1 MS-ADTS). If it is not send, the previousAuthenticationInformation in the property will be the same as current AuthenticationInformation since this is a new TDO created and there is no previous information available.
>Does the client or the server maintain the previous password and version information in the blob in the "trustAuthIncoming"?
ANS: The server will be responsible for updating the previous authentication information in "TrustAuthIncoming" property. When server receives this call, it will first query the information about the trusted domain object (TDO) identified by the TrustedDomainHandle passed into LsarSetInformationTrustedDomain. Then the server will save the returned trusted domain information as previousAuthentication and the passed authenticationInformation as new AuthticationInformation in TrustAuthIncoming property.
Please let me know if you have more questions.
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, August 30, 2011 7:54 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at cifs.org
Subject: Handling of passwords in LSA CreateTrustedDomainInfoEx2
I'm wondering if I could get an expansion on:
AuthenticationInformation: A structure containing authentication information for the trusted domain. The server first MUST decrypt this data structure using an algorithm (as specified in section 5.1.1) with the key being the session key negotiated by the transport. The server then MUST unmarshal the data inside this structure and then store it into a structure whose format is specified in section 220.127.116.11. This structure MUST then be stored on Trust Incoming and Outgoing Password properties.
In particular, what elements become assigned to "trustAuthIncoming" and "trustAuthOutgoing"
Is the element stored 'as sent', or is it processed to add a version field?
Can the client send the previousAuthentication details, or is that maintained by the server?
Does the client or the server maintain the previous password and version information in the blob in the "trustAuthIncoming"?
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the cifs-protocol