Andrew, I have completed my research with respect to NetrServerAuthenticate3. Your original question was around whether there any other methods other than NetrServerAuthenticate3 that return the RID of the authenticated account in a thread on MS-SNTP. With respect to MS-SNTP and the Windows Time Service , it starts account authentication with a call to NetrLogonGetTrustRid. The documentation discusses the Netlogon method NetrLogonGetTrustRid (http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-SNTP%5D.pdf) in section 1.5.2 of the current doc set.
This method under the covers makes a call to NetrServerAuthenticate3 in the case where the time service is located on a member server. Details of NetrServerAuthenticate3 can be found here (http://msdn.microsoft.com/en-us/library/cc208186.aspx). The RID is retrieved as a return value from establishment of a session key used for the secure channel. If however the time service is located on a DC that is in the domain of the account to be authenticated, NetrLogonGetTrustRid looks at the local SAM database to get the account and its associated RID. There never is a call to NetrServerAuthenticate3 in this case. I have requested that the MS-NRPC documentation (section 3.5.4.7.1), be updated to reflect this and will let you know the results of that investigation. Does this answer your question? Richard Guthrie Open Protocols Support Team Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2" Tel: +1 469 775 7794 E-mail: [EMAIL PROTECTED] We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted -----Original Message----- From: Richard Guthrie Sent: Friday, June 27, 2008 4:57 PM To: Andrew Bartlett Subject: RE: How are disabled accounts handled in SNTP Andrew, I think this is the method you are referring to NetrServerAuthenticate3 (http://msdn.microsoft.com/en-us/library/cc208186.aspx) when you say ServerAuthenticate3. Can you confirm for me? I just did not want to go down the wrong path. Richard Guthrie Open Protocols Support Team Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2" Tel: +1 469 775 7794 E-mail: [EMAIL PROTECTED] We're hiring ________________________________________ From: Andrew Bartlett [EMAIL PROTECTED] Sent: Thursday, June 26, 2008 6:58 PM To: Richard Guthrie Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: How are disabled accounts handled in SNTP On Thu, 2008-06-26 at 08:50 -0700, Richard Guthrie wrote: > We are not able to find API ServerAuthenticate3 in our API set. We think you > were referring to the process described in section 1.5.2 of the [MS-SNTP] > document, is that correct? As stated below, this is a NETLOGON API. As an outside observer, Windows clients appear to use the extended ServerAuthenticate3 netlogon call because it returns the RID, used for this protocol. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
