On Tue, 2008-08-26 at 11:11 -0700, Richard Guthrie wrote: > Andrew, > > The link between G$$<trusted domain secrets> and trustAuthIncoming is > that G$$<trusted domain secrets> is where the password for the trust > was stored prior to active directory (I.E. NT4 for example). If the > trust is a trust between Active Directory enabled domains, the TDO > object is where the trust passwords are stored. I was mistaken when I > spoke previously, stating that if you use the method > LsarSetTrustedDomainInfo with > InformationClass==TrustedPasswordInformation you would be able to > modify trustAuthIncoming/ trustAuthOutgoing values. You can only > modify secret objects when you have > InformationClass==TrustedPasswordInformation. If you want to > manipulate trustAuthIncoming/trustAuthOutgoing, you would need to set > InformationClass = TrustedDomainInformationEx. One point to note is > that this method requires all the fields on the TDO passed in the > TrustedDOmainInformation object be set properly. The preferred means > of modifying trustAuthIncoming/trustAuthOutgoing attributes on the TDO > is through the use of LsarSetInformationTrustedDomain. > > We have also made a modification to the MS-LSAD document for section > 3.1.4.7.3 to make the portion about TrustedPasswordInformation more > clear that it refers to manipulation of a secret object. Here is the > revised text below with the reference to section 3.1.1.4: > > TrustedPasswordInformation: The server MUST verify that a trusted > domain object with this SID exists in its policy database. If the > object does not exist, the call MUST fail with STATUS_NO_SUCH_DOMAIN. > Otherwise, the server MUST open the secret object, as defined in > section 3.1.1.4, (or create a secret object, if one does not already > exist) with "Name" set to "G$$<Trusted Domain Name>". The server MUST > then set "Old Value" of the secret object to the "OldPassword" value > in TrustedDomainInformation and set "New Value" of the secret object > to the "Password" value in TrustedDomainInformation, similar to the > processing when an LsarSetSecret request has been made. > Please let us know if you have any additional questions regarding this > issue.
So, the secrets are another parallel to the trustAuthIncoming and trustAuthOutgoing? The modified text does not reference trustAuthIncoming or trustAuthOutgoing, so I'm confused. Also, how do the cn=users object is influenced by these calls? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
