Matthieu,
G$BCKUPKEY_PREFERRED and G$BCKUPKEY_guid are stored as LSA global secrets. The
LSA global secret objects are replicated across domain controllers (DCs) in the
same domain, so each DC can respond to secret requests of this type. This is
specified in MS-BKRP 1.3.1 which cross-references [MS-LSAD] section 3.1.1.4.
The global secrets are synchronized across DCs in the same domain, so that once
the client discovers the DC and query a secret, it has the same key pair and
corresponding guid that is currently used through the same domain.
MS-BKRP documents how Windows responds to BackupKey protocol queries received
over the network.
Regarding operations on the global secret objects related to the BackupKey
protocol, since they are stored as MS-LSAD secret objects, they can be read
and/or written using the same mechanisms documented in MS-LSAD 3.1.4.6 Secret
Object Methods. In this particular case, you may for instance use MS-LSAD
3.1.4.6.4 LsarQuerySecret (Opnum 30) or 3.1.4.6.6 LsarRetrievePrivateData
(Opnum 43).
Depending on the context you want to perform these operations, it might just be
simpler to use LsarRetrievePrivateData and supply the KeyName to retrieve the
secret since there is no associated old value.
Please see MS-LSAD for details on each method you are interested in.
MS-LSAD 3.1.4.6.6 LsarRetrievePrivateData (Opnum 43) The
LsarRetrievePrivateData method is invoked to retrieve a secret value.
NTSTATUS LsarRetrievePrivateData(
[in] LSAPR_HANDLE PolicyHandle,
[in] PRPC_UNICODE_STRING KeyName,
[in, out] PLSAPR_CR_CIPHER_VALUE* EncryptedData );
PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or
LsarOpenPolicy2.
KeyName: The name identifying the secret value to be retrieved.
EncryptedData: Receives the encrypted value of the secret object.
…
MS-LSAD 3.1.4.6.4 LsarQuerySecret (Opnum 30) The LsarQuerySecret method is
invoked to retrieve the current and old (or previous) value of the secret
object.
NTSTATUS LsarQuerySecret(
[in] LSAPR_HANDLE SecretHandle,
[in, out, unique] PLSAPR_CR_CIPHER_VALUE* EncryptedCurrentValue, [in, out,
unique] PLARGE_INTEGER CurrentValueSetTime, [in, out, unique]
PLSAPR_CR_CIPHER_VALUE* EncryptedOldValue, [in, out, unique] PLARGE_INTEGER
OldValueSetTime );
SecretHandle: An open secret object handle.
EncryptedCurrentValue: Used to return the encrypted current value of the secret
object.
CurrentValueSetTime: Used to return the time when the current value was set.
EncryptedOldValue: A BLOB representing the encrypted old value. It is valid for
this parameter to be NULL, in which case the current value in the policy
database is copied.
OldValueSetTime: The time corresponding to the instant that the old value was
last changed.
…
Best regards,
Edgar
-----Original Message-----
From: Edgar Olougouna
Sent: Thursday, August 05, 2010 4:35 PM
To: '[email protected]'; '[email protected]'; '[email protected]'
Cc: MSSolve Case Email
Subject: [REG: 110080418357322] [MS-BKRP] 1.3.1 -- in a given domain there is
only "active" rsa key
Hi Matthieu,
I am researching this issue and will update you as soon I complete my research.
Best regards,
Edgar
Issue verbatim
------------------
Second in paragraph 1.3.1 Call Flows, it is stated "For the ClientWrap
subprotocol, the Microsoft implementation of the BackupKey Remote Protocol
server stores the following LSA global secret objects (note that the LSA global
secret names are Unicode strings):
1. G$BCKUPKEY_PREFERRED: This contains the 16-byte GUID ([MS-DTYP] section
2.3.2.2) of the RSA key pair currently used for client-side secret wrapping.
2. G$BCKUPKEY_guid: Here, guid is the string GUID that identifies the wrapping
key, formatted as a GUIDString ([MS-DTYP] section 2.3.2.3). The value of the
secret object is the server's ClientWrap key pair, formatted as specified in
section 2.2.5"
Should I conclude that in a given domain there is only "active" rsa key on all
the server or said in another way no matter which server is asked at a given
moment we will always receive the same GUID for the key ?
Also just to be sure this will be stored in the currentValue attribute but it
will be only accessible through a lsaQuerySecret call right ?
-----Original Message-----
From: Bryan Burgin
Sent: Wednesday, August 04, 2010 10:12 PM
To: '[email protected]'
Cc: [email protected]; [email protected]; MSSolve Case Email
Subject: RE: [REG:110071868986368] unused bytes after while decoding bkrp
requests
Matthieu,
For your new issues, I created three new cases and dispatched them across the
team
110080417580961
[MS-BKRP] 3.1.4.1 "misc" 0x00020000 value
110080418016869
[MS-BKRP] 3.1.4.1.3 -- version field and a GUID field no documented
110080418357322
[MS-BKRP] 1.3.1 -- in a given domain there is only "active" rsa key
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
