[cifs-protocol] Modifying msDS-SupportedEncryptionTypes attribute after domain join
asn at samba.org
Thu Feb 25 10:55:37 UTC 2016
Günther Deschner and I looked into updating the msDS-SupportedEncryptionTypes
attribute after a domain join.
We would like to ask for some clarifications for:
--- snip ---
[MS-KILE] 188.8.131.52 msDS-SupportedEncryptionTypes attribute:
"If the realm is a KILE implementation that uses an Active Directory for the
account database, the server SHOULD ensure that the msDS-
SupportedEncryptionTypes attribute ([MS-ADA2] section 2.458) of its account
object is set to the value of SupportedEncryptionTypes (section 184.108.40.206).
When an application server is running under the machine account and NRPC is
supported on the machine, the server SHOULD call NetrLogonGetDomainInfo ([MS-
NRPC] section 220.127.116.11.9) with the Level parameter set to 1 and
WkstaBuffer.WorkstationInfo.KerberosSupportedEncryptionTypes set to
zero.<72>If the WkstaBuffer.WorkstationInfo.KerberosSupportedEncryptionTypes
returned is not equal to SupportedEncryptionTypes (section 18.104.22.168), then LDAP
is used to update the setting:<73>
2. Establish an LDAP connection with server information set to NULL
([MS-ADTS] section 7.1).
1. Perform an LDAP modify operation to set the
msDS-SupportedEncryptionTypes attribute ([MS-ADA2] section 2.458) of the
computer account object to the value of SupportedEncryptionTypes
--- snip-end ---
Do we interpret that correctly, that after the machine account has been added
to Active directory, a netlogon connection is established using the machine
account credentials from the machine account we just created.
NetrLogonGetDomainInfo() is called to retrieve the information if the
supported encryption types need to be changed or not. If it needs to be
1. An LDAP connection with the credentials of the newly created machine
account is established
2. We perform an LDAP modify operation to set the
Is that correct?
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
More information about the cifs-protocol