[cifs-protocol] [Pfif] [REG: 116022513755175] Modifying msDS-SupportedEncryptionTypes attribute after domain join

Sreekanth Nadendla srenaden at microsoft.com
Fri Feb 26 16:17:17 UTC 2016 

Hello Andreas, I will be assisting you with your question. I will provide an update as soon as I complete my investigation and if I have any questions during my review in the mean time I may ask for clarification and/or share my findings with you.


Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Kamil Sykora 
Sent: Thursday, February 25, 2016 10:16 AM
To: Andreas Schneider
Cc: cifs-protocol at cifs.org; pfif at tridgell.net; MSSolve Case Email
Subject: RE: [REG: 116022513755175] Modifying msDS-SupportedEncryptionTypes attribute after domain join

[BCC: dochelp, CC: casemail]

Hello Andreas,

Thank you for your question regarding the [MS-KILE] documentation. I have created incident 116022513755175 to track your issue. One of our engineers will contact you shortly to start working with you on this issue.

Thanks,
Kamil

Kamil Sykora
tel. (980) 776-7508
working hours 8:00 a.m.- 5:00 p.m. EST, Mon-Fri manager name: Nam Su Kang nkang at microsoft.com kamils at microsoft.com

-----Original Message-----
From: Andreas Schneider [mailto:asn at samba.org]
Sent: Thursday, February 25, 2016 5:56 AM
To: Interoperability Documentation Help <dochelp at exchange.microsoft.com>
Cc: cifs-protocol at cifs.org; pfif at tridgell.net
Subject: Modifying msDS-SupportedEncryptionTypes attribute after domain join

Hello, dochelp!

Günther Deschner and I looked into updating the msDS-SupportedEncryptionTypes attribute after a domain join.

We would like to ask for some clarifications for:

--- snip ---
[MS-KILE] 3.4.3.1 msDS-SupportedEncryptionTypes attribute:

"If the realm is a KILE implementation that uses an Active Directory for the account database, the server SHOULD ensure that the msDS- SupportedEncryptionTypes attribute ([MS-ADA2] section 2.458) of its account object is set to the value of SupportedEncryptionTypes (section 3.1.1.5).

When an application server is running under the machine account and NRPC is supported on the machine, the server SHOULD call NetrLogonGetDomainInfo ([MS- NRPC] section 3.4.5.2.9) with the Level parameter set to 1 and WkstaBuffer.WorkstationInfo.KerberosSupportedEncryptionTypes set to zero.<72>If the WkstaBuffer.WorkstationInfo.KerberosSupportedEncryptionTypes
returned is not equal to SupportedEncryptionTypes (section 3.1.1.5), then LDAP is used to update the setting:<73>

2.    Establish an LDAP connection with server information set to NULL
      ([MS-ADTS] section 7.1).

1.    Perform an LDAP modify operation to set the
      msDS-SupportedEncryptionTypes attribute ([MS-ADA2] section 2.458) of the
      computer account object to the value of SupportedEncryptionTypes
      (section 3.1.1.5).
--- snip-end ---

Do we interpret that correctly, that after the machine account has been added to Active directory, a netlogon connection is established using the machine account credentials from the machine account we just created.

NetrLogonGetDomainInfo() is called to retrieve the information if the supported encryption types need to be changed or not. If it needs to be
changed:

1. An LDAP connection with the credentials of the newly created machine
   account is established
2. We perform an LDAP modify operation to set the
   msDS-SupportedEncryptionTypes attribute


Is that correct?

Thanks!


Best regards,


-- andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org
_______________________________________________
Pfif mailing list
Pfif at mail.tridgell.net
http://lists.tridgell.net/cgi-bin/mailman/listinfo/pfif

More information about the cifs-protocol mailing list