Hello Andrew,
We have concluded our investigation regarding this issue.
Question: "How do I determine what Key Version Number (kvno) to assign to
trusted domain entities in the KDC?"
Answer:
The key version number of the trust password for a trust object is set by
making a LsarSetTrustedDomainInfoByName ([MS-LSAD] section 3.1.4.7.6) request
when the trust is created. It is incremented by 1 each time the trust password
is changed. The key version number can be determined at any time by making an
LsarQueryTrustedDomainInfoByName request or parsing the
trustAuthInfoIncoming/trustAuthInfoOutgoing attributes using the information
provided in MS-ADTS section 7.1.6.9.1 and looking for an LSAPR_AUTH_INFORMATION
structure with AuthType equal to TRUST_AUTH_TYPE_VERSION (3).
A change will be made to the [MS-ADA2]document section 2.235 Attribute
msDS-KeyVersionNumber which will be similar to the following:
2.235 Attribute msDS-KeyVersionNumber
For a given user, computer or built-in account, this attribute specifies the
Kerberos version number of the current key for that account. The Kerberos key
version number for trusts is stored in the trusted domain object (TDO) whose
object class is trustedDomain
cn: ms-DS-KeyVersionNumber
ldapDisplayName: msDS-KeyVersionNumber
attributeId: 1.2.840.113556.1.4.1782
attributeSyntax: 2.5.5.9
omSyntax: 2
isSingleValued: TRUE
schemaIdGuid: c523e9c0-33b5-4ac8-8923-b57b927f42f6
systemOnly: TRUE
searchFlags: 0
systemFlags: FLAG_SCHEMA_BASE_OBJECT | FLAG_ATTR_IS_CONSTRUCTED
schemaFlagsEx: FLAG_ATTR_IS_CRITICAL
Version-Specific Behavior: Implemented on Windows Server 2003, Windows Server
2003 R2, and Windows Server 2008.
The schemaFlagsEx attribute was added to this attribute definition in Windows
Server 2008.
Please let me know if this fully answers this issue.
Thanks
John Dunning
Senior Escalation Engineer Microsoft Corporation
US-CSS DSC PROTOCOL TEAM
Email: [EMAIL PROTECTED]
Tele: (469)775-7008
-----Original Message-----
From: Andrew Bartlett [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 02, 2008 11:13 PM
To: Interoperability Documentation Help
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: KVNO of trusts
How do I determine what Key Version Number (kvno) to assign to trusted domain
entities in the KDC?
For normal users, we have msDS-KeyVersionNumber, but as per our previous
discussions, trusts do not need cn=user type objects for interoperability (I
point I dispute, but regardless). So, what is the source of the key version
number for these principals?
(Is it the 'for NETLOGON use' version number in the trustAuthIncoming and
trustAuthOutgoing attributes, for example?)
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
