Hello Andrew, Thank you for your rewording suggestion. I have passed this information on to my Product Team.
I also have an answer to your question: "What is the kvno if the client does not provide one in that structure, when it initially calls CreateTrustedDomainEx? (I think it is -1)?" Answer: If TRUST_AUTH_TYPE_VERSION is missing, the key version # for that trust key in Kerberos protocol is not filled. In such a case, the Windows Kerberos will ignore the missing key version # field. The key version (and the TRUST_AUTH_TYPE_VERSION field) is always present in Microsoft implementations to maximize interoperability. Please let me know if this fully answers this question. Thanks John Dunning Senior Escalation Engineer Microsoft Corporation US-CSS DSC PROTOCOL TEAM Email: [EMAIL PROTECTED] Tele: (469)775-7008 -----Original Message----- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Friday, October 03, 2008 12:04 PM To: John Dunning Cc: Interoperability Documentation Help; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: KVNO of trusts On Thu, 2008-10-02 at 09:17 -0700, John Dunning wrote: > Hello Andrew, > > We have concluded our investigation regarding this issue. > > Question: "How do I determine what Key Version Number (kvno) to assign to > trusted domain entities in the KDC?" > > Answer: > The key version number of the trust password for a trust object is set > by making a LsarSetTrustedDomainInfoByName ([MS-LSAD] section > 3.1.4.7.6) request when the trust is created. It is incremented by 1 > each time the trust password is changed. The key version number can be > determined at any time by making an LsarQueryTrustedDomainInfoByName > request or parsing the trustAuthInfoIncoming/trustAuthInfoOutgoing > attributes using the information provided in MS-ADTS section > 7.1.6.9.1 and looking for an LSAPR_AUTH_INFORMATION structure with > AuthType equal to TRUST_AUTH_TYPE_VERSION (3). Great. What is the kvno if the client does not provide one in that structure, when it initially calls CreateTrustedDomainEx? (I think it is -1) > A change will be made to the [MS-ADA2]document section 2.235 Attribute > msDS-KeyVersionNumber which will be similar to the following: > > 2.235 Attribute msDS-KeyVersionNumber For a given user, > computer or built-in account, this attribute specifies the Kerberos > version number of the current key for that account. The Kerberos key > version number for trusts is stored in the trusted domain object (TDO) > whose object class is trustedDomain Can i suggest a slight rewording: For a trusted domain (objectClass trustedDomain), the Kerberos key version number is stored in the trusted domain object (TDO), embedded in the trustAuthIncoming and trustAuthOutgoing attributes. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
