On Wed, 2011-08-31 at 20:37 +0000, Hongwei Sun wrote: > Hi, Andrew, > > >Is the element stored 'as sent', or is it processed to add a version field? > > ANS: After code review, I confirmed that AuthenticationInformation is > decrypted into LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION (as specified in > 2.2.7.11), then is just copied straightforwardly into the TrustAuthIncoming > and TrustAuthOutgoing properties as specified 7.1.6.9.1 MS-ADTS. As you > know, the LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION is a structure and > TrustAuthIncoming and TrustAuthOutgoing properties are String(Octet), there > are certainly some calculation for offsets required as per the layout of the > properties, but there is no new field added when marshaling the structure to > the octet string saved in the properties. > > >Can the client send the previousAuthentication details, or is that > >maintained by the server? > > ANS: Yes, the client can send the previousAuthentication for both incoming > and outgoing AuthticationInformation through LsarCreateTrustedDomainEx2. If > it is send, the server will save it to the previousAuthenticationInformation > part of the property (7.1.6.9.1 MS-ADTS). If it is not send, the > previousAuthenticationInformation in the property will be the same as current > AuthenticationInformation since this is a new TDO created and there is no > previous information available. > > > >In LsarSetInformationTrustedDomain > >http://msdn.microsoft.com/en-us/library/cc234385%28v=PROT.13%29.aspx > >Does the client or the server maintain the previous password and version > >information in the blob in the "trustAuthIncoming"? > > ANS: The server will be responsible for updating the previous > authentication information in "TrustAuthIncoming" property. When server > receives this call, it will first query the information about the trusted > domain object (TDO) identified by the TrustedDomainHandle passed into > LsarSetInformationTrustedDomain. Then the server will save the returned > trusted domain information as previousAuthentication and the passed > authenticationInformation as new AuthticationInformation in TrustAuthIncoming > property. > > Please let me know if you have more questions.
Thanks, that resolves this for now. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
