[cifs-protocol] [MS-ADTS] GetgMSAPasswordBlob — Calculation of rollover interval

Joseph Sutton jsutton at samba.org
Thu Nov 23 01:07:04 UTC 2023

Hi dochelp,

I think there may be an error — or at least some opportunity for 
confusion — in the documentation for GetgMSAPasswordBlob ([MS-ADTS], “msDS-ManagedPassword”). The documentation states that 
GKDIRolloverInterval is equal to:

(TO!msDS-ManagedPasswordInterval × 24 ∕ KeyCycleDuration) ×

GKDIRolloverInterval is later added to the time returned by 
GKDIGetKeyStartTime(), implying that the former value is measured in 
100ns units as is the latter. However, the expression given in the 
documentation appears to be equivalent to 
‘TO!msDS-ManagedPasswordInterval × 24’, which would produce a quantity 
in hours.

If GKDIRolloverInterval is meant to be a FILETIME, I think the correct 
expression should be:

TO!msDS-ManagedPasswordInterval × 24 × 60 × 60 × 10⁷

This gives an answer consistent with the results I’m seeing from Windows.


More information about the cifs-protocol mailing list