[cifs-protocol] [REG:120012221001721] Clarification on errata of MS-KILE 3.3.5.7.5

[Bryan Burgin]

-Dochelp
+Support

Hi Isaac,

Thank you for your question.  We created SR 120012221001721 to track your issue.  An enginer will contact you soon.

Bryan

-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com> 
Sent: Wednesday, January 22, 2020 1:18 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: [EXTERNAL] Clarification on errata of MS-KILE 3.3.5.7.5

Hello dochelp,

I'm trying to make sense of the two delegation related trust attributes from:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%2Fc982f6c4-2f70-4dc7-b252-09092e9f1eed&data=02%7C01%7Cbburgin%40microsoft.com%7C5c314623bc7d4fd84b4a08d79f1c11a5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637152815217318093&sdata=fqyVdHxeEgbNjjDdgYOXw46XC5WsxoSrv1FD7xxTgF0%3D&reserved=0

Quote from the corrected revision:

If the TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NOENABLE_TGT_DELEGATION flag is set in the trustAttributes field ([MS-ADTS] section 6.1.6.7.9), the KDC MUST<63> return a ticket with the ok-as-delegate flag notset in TicketFlags.

If the TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION is set in the trustedAttributes field ([MS-ADTS] section 6.1.6.7.9) the KDC MUST NOT return a ticket with the ok-as-delegate flag set in TicketFlags.

Unquote.

First, there is a typo in the first section, so I guess it should say TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION instead, but then that section doesn't make much sense unless we also change it to start with "if the flag is NOT set" then return a ticket with ok-as-delegate flag not set.

Please advise.

Thank you