Good morning Andrew - just checking in to see if we have covered everything!
-----Original Message----- From: Hongwei Sun Sent: Wednesday, September 02, 2009 5:10 PM To: 'Andrew Bartlett'; Bill Wesse Cc: [email protected]; [email protected]; Matthias Dieter Wallnöfer Subject: RE: [cifs-protocol] Please clarify LSA and OsVersion behaviour in MS-NRPC (SRX090727600015) Andrew, We confirmed that Windows server 2008 and later systems addressed the problem by implementing validation of the DNSHostName and SPN in NetrLogonGetDomainInfo to enforce the same constraints as specified in section 3.1.1.5.3.1.1.2(dNSHostName) and 3.1.1.5.3.1.1.4(servicePrincipalName) in MS-ADTS. Therefore you should follow these rules to match the Windows behaviors. Please let us know if you have further questions. Thanks! -------------------------------------------------------------------- Hongwei Sun - Sr. Support Escalation Engineer DSC Protocol Team, Microsoft [email protected] Tel: 469-7757027 x 57027 --------------------------------------------------------------------- Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 -----Original Message----- From: Bill Wesse Sent: Friday, August 28, 2009 10:53 AM To: 'Andrew Bartlett' Cc: '[email protected]'; '[email protected]'; 'Matthias Dieter Wallnöfer'; Hongwei Sun Subject: RE: [cifs-protocol] Please clarify LSA and OsVersion behaviour in MS-NRPC (SRX090727600015) I will be out of the office on vacation, returning Monday, September 7. My colleague, Hongwei Sun will be your contact during my absence. Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 -----Original Message----- From: Bill Wesse Sent: Friday, August 28, 2009 7:27 AM To: 'Andrew Bartlett' Cc: [email protected]; [email protected]; Matthias Dieter Wallnöfer Subject: RE: [cifs-protocol] Please clarify LSA and OsVersion behaviour in MS-NRPC (SRX090727600015) Thanks for the information Andrew; I have proposed we add additional NetrLogonGetDomainInfo coverage to our test suites. Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 -----Original Message----- From: Andrew Bartlett [mailto:[email protected]] Sent: Thursday, August 27, 2009 5:44 PM To: Bill Wesse Cc: [email protected]; [email protected]; Matthias Dieter Wallnöfer Subject: RE: [cifs-protocol] Please clarify LSA and OsVersion behaviour in MS-NRPC (SRX090727600015) On Wed, 2009-08-26 at 09:52 -0700, Bill Wesse wrote: > Hello again Andrew - I have a 'short' answer for you. > > Windows 2008 does the following additional checks: > > 1. NETLOGON_WORKSTATION_INFO.DnsHostName and ComputerName match > appropriately (re: trailing '$' on ComputerName) 2. > NETLOGON_WORKSTATION_INFO.DnsHostName suffix is checked against > msDS-AllowedDNSSuffixes. > > I can't at the moment be more complete, without exercising > NetrLogonGetDomainInfo against 2000, 2003 and so on. I hesitate to attempt a > description against code hand-checks, as it is just too easy to miss > something. > > Do you have any test software already configured to do that? You could hack the GetDomainInfo test in smbtorture's RPC-NETLOGON. We don't have anything that lets you set it arbitrarily from the command line (yet, I could write it). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
