[cifs-protocol] [REG: 116022513755175] Modifying msDS-SupportedEncryptionTypes attribute after domain join
Andreas Schneider
asn at samba.org
Fri Mar 11 21:42:05 UTC 2016
On Friday 11 March 2016 19:33:35 Sreekanth Nadendla wrote:
> Hello Andreas,
Hi Sreekanth,
thanks for looking into this and reporting back!
> Your interpretation is correct as you've stated in
> your e-mail below. Please do not hesitate to contact me if you have any
> other questions.
How does it work with pre-created machine accounts. I the attribute checked
and updated too?
Cheers,
-- andreas
>
> Regards,
> Sreekanth Nadendla
> Microsoft Windows Open Specifications
>
> -----Original Message-----
> From: Andreas Schneider [mailto:asn at samba.org]
> Sent: Thursday, February 25, 2016 5:56 AM
> To: Interoperability Documentation Help <dochelp at exchange.microsoft.com>
> Cc: cifs-protocol at cifs.org; pfif at tridgell.net
> Subject: Modifying msDS-SupportedEncryptionTypes attribute after domain join
>
> Hello, dochelp!
>
> Günther Deschner and I looked into updating the
> msDS-SupportedEncryptionTypes attribute after a domain join.
>
> We would like to ask for some clarifications for:
>
> --- snip ---
> [MS-KILE] 3.4.3.1 msDS-SupportedEncryptionTypes attribute:
>
> "If the realm is a KILE implementation that uses an Active Directory for the
> account database, the server SHOULD ensure that the msDS-
> SupportedEncryptionTypes attribute ([MS-ADA2] section 2.458) of its account
> object is set to the value of SupportedEncryptionTypes (section 3.1.1.5).
>
> When an application server is running under the machine account and NRPC is
> supported on the machine, the server SHOULD call NetrLogonGetDomainInfo
> ([MS- NRPC] section 3.4.5.2.9) with the Level parameter set to 1 and
> WkstaBuffer.WorkstationInfo.KerberosSupportedEncryptionTypes set to
> zero.<72>If the
> WkstaBuffer.WorkstationInfo.KerberosSupportedEncryptionTypes returned is
> not equal to SupportedEncryptionTypes (section 3.1.1.5), then LDAP is used
> to update the setting:<73>
>
> 2. Establish an LDAP connection with server information set to NULL
> ([MS-ADTS] section 7.1).
>
> 1. Perform an LDAP modify operation to set the
> msDS-SupportedEncryptionTypes attribute ([MS-ADA2] section 2.458) of
> the computer account object to the value of SupportedEncryptionTypes
> (section 3.1.1.5).
> --- snip-end ---
>
> Do we interpret that correctly, that after the machine account has been
> added to Active directory, a netlogon connection is established using the
> machine account credentials from the machine account we just created.
>
> NetrLogonGetDomainInfo() is called to retrieve the information if the
> supported encryption types need to be changed or not. If it needs to be
> changed:
>
> 1. An LDAP connection with the credentials of the newly created machine
> account is established
> 2. We perform an LDAP modify operation to set the
> msDS-SupportedEncryptionTypes attribute
>
>
> Is that correct?
>
> Thanks!
>
>
> Best regards,
>
>
> -- andreas
>
> --
> Andreas Schneider GPG-ID: CC014E3D
> Samba Team asn at samba.org
> www.samba.org
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the cifs-protocol
mailing list