Hello Jeremy,
At machine startup, before login, any Kerberos traffic and related 
authentication uses the machine account, e.g. AS Request and TGS Response have 
Cname: WIN-CNJIRV8M39S$
I am filing a document bug to get MS-GPOL clarified.

Thanks,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Friday, September 9, 2016 2:23 PM
To: Jeremy Allison <j...@samba.org>
Cc: cifs-protocol@lists.samba.org; g...@samba.org; MSSolve Case Email 
<casem...@microsoft.com>
Subject: RE: [MS-GPOL] Computer group policy fetch - what credentials are used 
? [REG:116090914649988]

Hi Jeremy,
I will investigate this and follow-up.

Thanks,
Edgar


-----Original Message-----
From: Obaid Farooqi 
Sent: Friday, September 9, 2016 2:14 PM
To: Jeremy Allison <j...@samba.org>
Cc: cifs-protocol@lists.samba.org; g...@samba.org; MSSolve Case Email 
<casem...@microsoft.com>
Subject: RE: [MS-GPOL] Computer group policy fetch - what credentials are used 
? [REG:116090914649988]

Hi Jeremy:
Thanks for contacting Microsoft. I have created a case to track this issue. A 
member of the open specifications team will be in touch soon.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to 
provide feedback on your case you may contact my manager at ramagane at 
Microsoft dot com

-----Original Message-----
From: Jeremy Allison [mailto:j...@samba.org] 
Sent: Friday, September 9, 2016 1:53 PM
To: Interoperability Documentation Help <doch...@microsoft.com>; 
cifs-protocol@lists.samba.org; g...@samba.org
Cc: j...@samba.org
Subject: [MS-GPOL] Computer group policy fetch - what credentials are used ?

Hi Dochelp,

Here's something I'm working on at the moment, that unfortunately is as clear 
as mud from the docs :-).

When a Windows client downloads machine group policy objects, what credentials 
does it use to do so ?

[MS-GPOL].pdf states:

3.2.5.1 Policy Application
...
Steps 3.2.5.1.3 through 3.2.5.1.7 SHOULD be performed while impersonating the 
policy target as specified in [MS-DTYP] section 2.7, Impersonation Abstract 
Interfaces.
...
Policy target impersonation proceeds as follows:
1. For Computer Policy Application Mode, the Policy Source Mode MUST be set to 
Normal.
2. The client application retrieves the primary token of the interactive user 
(the policy target) and passes it to the Start Impersonation abstract interface 
as specified in [MS-DTYP] section 2.7.1.

The above implies that "Computer Policies" should be done under the credential 
context of the interactive user.

But machine GPO's are fetched *before* user logon.

So either they're fetched using a cached user credential, or the above isn't 
correct.

But later in the doc it states:

3.2.5.1.5 GPO Search
...
7. The Policy Target Security Token MUST be initialized to the security token 
of the Policy Target.
For computer policy mode, retrieve the machine token that is associated with 
the security context of the server using Kerberos authentication.<32> For user 
policy mode, retrieve the impersonation token of the caller.<33>

which implies that it's done under the credential context of the machine 
account.

Which is it ?

Cheers,

Jeremy.

_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

Reply via email to