[cifs-protocol] [MS-GPOL] Computer group policy fetch - what credentials are used ? [REG:116090914649988]
obaidf at microsoft.com
Fri Sep 9 19:13:43 UTC 2016
Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at ramagane at Microsoft dot com
From: Jeremy Allison [mailto:jra at samba.org]
Sent: Friday, September 9, 2016 1:53 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org; gd at samba.org
Cc: jra at samba.org
Subject: [MS-GPOL] Computer group policy fetch - what credentials are used ?
Here's something I'm working on at the moment, that unfortunately is as clear as mud from the docs :-).
When a Windows client downloads machine group policy objects, what credentials does it use to do so ?
184.108.40.206 Policy Application
Steps 220.127.116.11.3 through 18.104.22.168.7 SHOULD be performed while impersonating the policy target as specified in [MS-DTYP] section 2.7, Impersonation Abstract Interfaces.
Policy target impersonation proceeds as follows:
1. For Computer Policy Application Mode, the Policy Source Mode MUST be set to Normal.
2. The client application retrieves the primary token of the interactive user (the policy target) and passes it to the Start Impersonation abstract interface as specified in [MS-DTYP] section 2.7.1.
The above implies that "Computer Policies" should be done under the credential context of the interactive user.
But machine GPO's are fetched *before* user logon.
So either they're fetched using a cached user credential, or the above isn't correct.
But later in the doc it states:
22.214.171.124.5 GPO Search
7. The Policy Target Security Token MUST be initialized to the security token of the Policy Target.
For computer policy mode, retrieve the machine token that is associated with the security context of the server using Kerberos authentication.<32> For user policy mode, retrieve the impersonation token of the caller.<33>
which implies that it's done under the credential context of the machine account.
Which is it ?
More information about the cifs-protocol