On Thu, 2008-10-02 at 09:17 -0700, John Dunning wrote: > Hello Andrew, > > We have concluded our investigation regarding this issue. > > Question: "How do I determine what Key Version Number (kvno) to assign to > trusted domain entities in the KDC?" > > Answer: > The key version number of the trust password for a trust object is set > by making a LsarSetTrustedDomainInfoByName ([MS-LSAD] section > 3.1.4.7.6) request when the trust is created. It is incremented by 1 > each time the trust password is changed. The key version number can be > determined at any time by making an LsarQueryTrustedDomainInfoByName > request or parsing the trustAuthInfoIncoming/trustAuthInfoOutgoing > attributes using the information provided in MS-ADTS section > 7.1.6.9.1 and looking for an LSAPR_AUTH_INFORMATION structure with > AuthType equal to TRUST_AUTH_TYPE_VERSION (3).
Great. What is the kvno if the client does not provide one in that structure, when it initially calls CreateTrustedDomainEx? (I think it is -1) > A change will be made to the [MS-ADA2]document section 2.235 Attribute > msDS-KeyVersionNumber which will be similar to the following: > > 2.235 Attribute msDS-KeyVersionNumber > For a given user, computer or built-in account, this attribute > specifies the Kerberos version number of the current key for that > account. The Kerberos key version number for trusts is stored in the > trusted domain object (TDO) whose object class is trustedDomain Can i suggest a slight rewording: For a trusted domain (objectClass trustedDomain), the Kerberos key version number is stored in the trusted domain object (TDO), embedded in the trustAuthIncoming and trustAuthOutgoing attributes. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com
signature.asc
Description: This is a digitally signed message part
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
