Andrew, We have completed our research with respect to NetrServerAuthenticate3. Your question revolved around which active directory attribute is used to respond to this request and also how the passed in AccountName parameter is used. This method, NetrServerAuthenticate3 queries the trusted domain object using the value in the AccountName field. We have modified the documentation in section 3.5.4.3.2 with respect to AccountName to account for the trailing dot observed on this value as follows:
AccountName: A null-terminated Unicode string that identifies the name of the account that contains the secret key (password) that is shared between the client and the server, as specified in section 1.5.<143> If there is a period "." at the end of the account name, that is ignored during processing. As the documentation states for NetrServerAuthenticate3, SecureChannelType indicates the type of secure channel being established. This value is defined in section 2.2.1.3.12 and to tie this in with how NetrServerAuthenticate3 uses this enumeration, we have modified the text for TrustedDnsDomainSecureChannel as follows: TrustedDnsDomainSecureChannel: A secure channel between two DCs, connected through a trust relationship created between two Windows 2000 Server or Windows Server 2003 domains. A Trusted Domain Object (TDO) is used in this type of channel. See 7.1.6.7 "Essential Attributes of a Trusted Domain Object" in [MS-ADTS] for information about TDO. By doing so this should make it clearer to the reader that the credentials returned map to the TDO. The RID returned is for the account used in the TDO. Please let us know if you have further questions or comments. Richard Guthrie Open Protocols Support Team Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM Tel: +1 (469) 775-7794 E-mail: [EMAIL PROTECTED] -----Original Message----- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 30, 2008 7:27 PM To: Interoperability Documentation Help Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Trusted domains and NETLOGON On Tue, 2008-09-30 at 15:32 -0700, Andrew Bartlett wrote: > In MS-NRPC 3.5.4.3.2 it states: > AccountName: A null-terminated Unicode string that identifies the name of the > account that > contains the secret key (password) that is shared between the client and > the server, as > specified in section 1.5.<157> > > windows behaviour note 157 then notes: > > <157> Section 3.5.4.3.2: In Windows, all machine account names are the > name of the machine with a "$" (dollar sign) appended. > > However when Windows 2003 joins as a trusted domain, it issues a > ServerAuthenticate3 with 'Account Name == w2k3native.net.' > > (ie, no trailing $, and not a normal account) So, what I'm looking for is what object in the directory should I enquire of to find the password to use and how should I find it (ie, search on what scope for what attribute, presumably without the trailing dot). I presume I'll have to find the trust account under cn=system, but this is unclear. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
