[cifs-protocol] [REG: 111083054067588] RE: Handling of passwords in LSA CreateTrustedDomainInfoEx2
Andrew Bartlett
abartlet at samba.org
Thu Sep 1 18:02:01 MDT 2011
On Wed, 2011-08-31 at 20:37 +0000, Hongwei Sun wrote:
> Hi, Andrew,
>
> >Is the element stored 'as sent', or is it processed to add a version field?
>
> ANS: After code review, I confirmed that AuthenticationInformation is decrypted into LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION (as specified in 2.2.7.11), then is just copied straightforwardly into the TrustAuthIncoming and TrustAuthOutgoing properties as specified 7.1.6.9.1 MS-ADTS. As you know, the LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION is a structure and TrustAuthIncoming and TrustAuthOutgoing properties are String(Octet), there are certainly some calculation for offsets required as per the layout of the properties, but there is no new field added when marshaling the structure to the octet string saved in the properties.
>
> >Can the client send the previousAuthentication details, or is that maintained by the server?
>
> ANS: Yes, the client can send the previousAuthentication for both incoming and outgoing AuthticationInformation through LsarCreateTrustedDomainEx2. If it is send, the server will save it to the previousAuthenticationInformation part of the property (7.1.6.9.1 MS-ADTS). If it is not send, the previousAuthenticationInformation in the property will be the same as current AuthenticationInformation since this is a new TDO created and there is no previous information available.
>
>
> >In LsarSetInformationTrustedDomain
> >http://msdn.microsoft.com/en-us/library/cc234385%28v=PROT.13%29.aspx
> >Does the client or the server maintain the previous password and version information in the blob in the "trustAuthIncoming"?
>
> ANS: The server will be responsible for updating the previous authentication information in "TrustAuthIncoming" property. When server receives this call, it will first query the information about the trusted domain object (TDO) identified by the TrustedDomainHandle passed into LsarSetInformationTrustedDomain. Then the server will save the returned trusted domain information as previousAuthentication and the passed authenticationInformation as new AuthticationInformation in TrustAuthIncoming property.
>
> Please let me know if you have more questions.
Thanks, that resolves this for now.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the cifs-protocol
mailing list