[cifs-protocol] [MS-ADTS] GetgMSAPasswordBlob — Calculation of rollover interval
Joseph Sutton
jsutton at samba.org
Thu Nov 23 01:07:04 UTC 2023
Hi dochelp,
I think there may be an error — or at least some opportunity for
confusion — in the documentation for GetgMSAPasswordBlob ([MS-ADTS]
3.1.1.4.5.39, “msDS-ManagedPassword”). The documentation states that
GKDIRolloverInterval is equal to:
(TO!msDS-ManagedPasswordInterval × 24 ∕ KeyCycleDuration) ×
KeyCycleDuration
GKDIRolloverInterval is later added to the time returned by
GKDIGetKeyStartTime(), implying that the former value is measured in
100ns units as is the latter. However, the expression given in the
documentation appears to be equivalent to
‘TO!msDS-ManagedPasswordInterval × 24’, which would produce a quantity
in hours.
If GKDIRolloverInterval is meant to be a FILETIME, I think the correct
expression should be:
TO!msDS-ManagedPasswordInterval × 24 × 60 × 60 × 10⁷
This gives an answer consistent with the results I’m seeing from Windows.
Regards,
Joseph
More information about the cifs-protocol
mailing list