[cifs-protocol] [REG: 111083054067588] RE: Handling of passwords in LSA CreateTrustedDomainInfoEx2

Andrew Bartlett abartlet at samba.org
Thu Sep 1 18:02:01 MDT 2011 

On Wed, 2011-08-31 at 20:37 +0000, Hongwei Sun wrote:
> Hi, Andrew,
> 
> >Is the element stored 'as sent', or is it processed to add a version field?  
> 
> ANS:    After code review, I confirmed that AuthenticationInformation is decrypted into LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION (as specified in 2.2.7.11), then is just copied straightforwardly into the TrustAuthIncoming and TrustAuthOutgoing properties as specified 7.1.6.9.1 MS-ADTS.   As you know, the   LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION is a structure and TrustAuthIncoming and TrustAuthOutgoing properties are String(Octet),  there are certainly some calculation for offsets required as per the layout of the properties,  but there is no new field added when marshaling the structure to the octet string saved in the properties.   
> 
> >Can the client send the previousAuthentication details, or is that maintained by the server?
> 
> ANS:  Yes, the client can send the  previousAuthentication for both incoming and outgoing AuthticationInformation through LsarCreateTrustedDomainEx2.  If it is send, the server will save it to the  previousAuthenticationInformation part of the property (7.1.6.9.1 MS-ADTS).  If it is not send,  the previousAuthenticationInformation in the property will be the same as current AuthenticationInformation since this is a new TDO created and there is no previous information available.
> 
> 
> >In LsarSetInformationTrustedDomain
> >http://msdn.microsoft.com/en-us/library/cc234385%28v=PROT.13%29.aspx
> >Does the client or the server maintain the previous password and version information in the blob in the "trustAuthIncoming"?
> 
> ANS:   The server will be responsible for updating the previous authentication information in  "TrustAuthIncoming" property.  When server receives this call, it will first query the information about the trusted domain object (TDO) identified by the TrustedDomainHandle passed into LsarSetInformationTrustedDomain.  Then the server will  save the returned trusted domain information as previousAuthentication and  the passed authenticationInformation as new AuthticationInformation in TrustAuthIncoming property. 
> 
>   Please let me know if you have more questions.

Thanks, that resolves this for now.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the cifs-protocol mailing list