[cifs-protocol] [REG: 116022513755175] Modifying msDS-SupportedEncryptionTypes attribute after domain join

Sreekanth Nadendla srenaden at microsoft.com
Mon Mar 14 17:03:59 UTC 2016 

Hi Andreas, even in the scenario where machine account is pre-created, msDS-SupportedEncryptionTypes is updated.


Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Andreas Schneider [mailto:asn at samba.org]
Sent: Friday, March 11, 2016 1:42 PM
To: Sreekanth Nadendla <srenaden at microsoft.com>
Cc: cifs-protocol at lists.samba.org; pfif at tridgell.net; MSSolve Case Email <casemail at microsoft.com>
Subject: Re: [REG: 116022513755175] Modifying msDS-SupportedEncryptionTypes attribute after domain join

On Friday 11 March 2016 19:33:35 Sreekanth Nadendla wrote:
> Hello Andreas,

Hi Sreekanth,

thanks for looking into this and reporting back!

>                           Your interpretation is correct as you've 
> stated in your e-mail below. Please do not hesitate to contact me if 
> you have any other questions.

How does it work with pre-created machine accounts. I the attribute checked and updated too?


Cheers,


	-- andreas

> 
> Regards,
> Sreekanth Nadendla
> Microsoft Windows Open Specifications
> 
> -----Original Message-----
> From: Andreas Schneider [mailto:asn at samba.org]
> Sent: Thursday, February 25, 2016 5:56 AM
> To: Interoperability Documentation Help 
> <dochelp at exchange.microsoft.com>
> Cc: cifs-protocol at cifs.org; pfif at tridgell.net
> Subject: Modifying msDS-SupportedEncryptionTypes attribute after 
> domain join
> 
> Hello, dochelp!
> 
> Günther Deschner and I looked into updating the 
> msDS-SupportedEncryptionTypes attribute after a domain join.
> 
> We would like to ask for some clarifications for:
> 
> --- snip ---
> [MS-KILE] 3.4.3.1 msDS-SupportedEncryptionTypes attribute:
> 
> "If the realm is a KILE implementation that uses an Active Directory 
> for the account database, the server SHOULD ensure that the msDS- 
> SupportedEncryptionTypes attribute ([MS-ADA2] section 2.458) of its 
> account object is set to the value of SupportedEncryptionTypes (section 3.1.1.5).
> 
> When an application server is running under the machine account and 
> NRPC is supported on the machine, the server SHOULD call 
> NetrLogonGetDomainInfo
> ([MS- NRPC] section 3.4.5.2.9) with the Level parameter set to 1 and 
> WkstaBuffer.WorkstationInfo.KerberosSupportedEncryptionTypes set to 
> zero.<72>If the 
> WkstaBuffer.WorkstationInfo.KerberosSupportedEncryptionTypes returned 
> is not equal to SupportedEncryptionTypes (section 3.1.1.5), then LDAP 
> is used to update the setting:<73>
> 
> 2.    Establish an LDAP connection with server information set to NULL
>       ([MS-ADTS] section 7.1).
> 
> 1.    Perform an LDAP modify operation to set the
>       msDS-SupportedEncryptionTypes attribute ([MS-ADA2] section 
> 2.458) of the computer account object to the value of 
> SupportedEncryptionTypes (section 3.1.1.5).
> --- snip-end ---
> 
> Do we interpret that correctly, that after the machine account has 
> been added to Active directory, a netlogon connection is established 
> using the machine account credentials from the machine account we just created.
> 
> NetrLogonGetDomainInfo() is called to retrieve the information if the 
> supported encryption types need to be changed or not. If it needs to 
> be
> changed:
> 
> 1. An LDAP connection with the credentials of the newly created machine
>    account is established
> 2. We perform an LDAP modify operation to set the
>    msDS-SupportedEncryptionTypes attribute
> 
> 
> Is that correct?
> 
> Thanks!
> 
> 
> Best regards,
> 
> 
> -- andreas
> 
> --
> Andreas Schneider                   GPG-ID: CC014E3D
> Samba Team                             asn at samba.org
> https://na01.safelinks.protection.outlook.com/?url=www.samba.org&data=
> 01%7c01%7csrenaden%40microsoft.com%7c41d913418caf401f108608d349f60057%
> 7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=y%2fqTaB8Ra8SqSdFa7atrr1%
> 2bKEaOBOPifgy60PnVrux0%3d

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
https://na01.safelinks.protection.outlook.com/?url=www.samba.org&data=01%7c01%7csrenaden%40microsoft.com%7c41d913418caf401f108608d349f60057%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=y%2fqTaB8Ra8SqSdFa7atrr1%2bKEaOBOPifgy60PnVrux0%3d

More information about the cifs-protocol mailing list