[cifs-protocol] [MS-GPOL] Computer group policy fetch - what credentials are used ? [REG:116090914649988]

Edgar Olougouna edgaro at microsoft.com
Tue Sep 20 17:39:58 UTC 2016 

Hello Jeremy,
At machine startup, before login, any Kerberos traffic and related authentication uses the machine account, e.g. AS Request and TGS Response have Cname: WIN-CNJIRV8M39S$
I am filing a document bug to get MS-GPOL clarified.

Thanks,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Friday, September 9, 2016 2:23 PM
To: Jeremy Allison <jra at samba.org>
Cc: cifs-protocol at lists.samba.org; gd at samba.org; MSSolve Case Email <casemail at microsoft.com>
Subject: RE: [MS-GPOL] Computer group policy fetch - what credentials are used ? [REG:116090914649988]

Hi Jeremy,
I will investigate this and follow-up.

Thanks,
Edgar


-----Original Message-----
From: Obaid Farooqi 
Sent: Friday, September 9, 2016 2:14 PM
To: Jeremy Allison <jra at samba.org>
Cc: cifs-protocol at lists.samba.org; gd at samba.org; MSSolve Case Email <casemail at microsoft.com>
Subject: RE: [MS-GPOL] Computer group policy fetch - what credentials are used ? [REG:116090914649988]

Hi Jeremy:
Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at ramagane at Microsoft dot com

-----Original Message-----
From: Jeremy Allison [mailto:jra at samba.org] 
Sent: Friday, September 9, 2016 1:53 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org; gd at samba.org
Cc: jra at samba.org
Subject: [MS-GPOL] Computer group policy fetch - what credentials are used ?

Hi Dochelp,

Here's something I'm working on at the moment, that unfortunately is as clear as mud from the docs :-).

When a Windows client downloads machine group policy objects, what credentials does it use to do so ?

[MS-GPOL].pdf states:

3.2.5.1 Policy Application
...
Steps 3.2.5.1.3 through 3.2.5.1.7 SHOULD be performed while impersonating the policy target as specified in [MS-DTYP] section 2.7, Impersonation Abstract Interfaces.
...
Policy target impersonation proceeds as follows:
1. For Computer Policy Application Mode, the Policy Source Mode MUST be set to Normal.
2. The client application retrieves the primary token of the interactive user (the policy target) and passes it to the Start Impersonation abstract interface as specified in [MS-DTYP] section 2.7.1.

The above implies that "Computer Policies" should be done under the credential context of the interactive user.

But machine GPO's are fetched *before* user logon.

So either they're fetched using a cached user credential, or the above isn't correct.

But later in the doc it states:

3.2.5.1.5 GPO Search
...
7. The Policy Target Security Token MUST be initialized to the security token of the Policy Target.
For computer policy mode, retrieve the machine token that is associated with the security context of the server using Kerberos authentication.<32> For user policy mode, retrieve the impersonation token of the caller.<33>

which implies that it's done under the credential context of the machine account.

Which is it ?

Cheers,

Jeremy.

More information about the cifs-protocol mailing list