Hi Tim: I got some additional detail on this prom product group, as follows: " This is not a security issue. The password for krbtgt is not human generated and any PSO applied on it will be ignored. " The recommendation is to follow the document instead of observed Windows behavior. This bug will be fixed in a future release of Windows and document will be updated to mention which version of Windows ignore this rule.
Please let me know if it does not answer your question. Regards, Obaid Farooqi Escalation Engineer | Microsoft Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at ramagane at Microsoft dot com -----Original Message----- From: Tim Beale <timbe...@catalyst.net.nz> Sent: Wednesday, April 25, 2018 3:50 PM To: Obaid Farooqi <oba...@microsoft.com> Cc: cifs-protocol@lists.samba.org; MSSolve Case Email <casem...@microsoft.com> Subject: Re: [REG:118040517948537] MS-ADTS: msDS-ResultantPSO and DOMAIN_USER_RID_KRBTGT discrepancy Hi Obaid, Thank you for clarifying the expected behaviour. That makes sense. Cheers, Tim On 25/04/18 04:54, Obaid Farooqi wrote: > Hi Tim: > The code actually intends to not return msDS-ResultantPSO when RID is equal > to that of krbtgt but due to a bug, the comparison fails and instead of > nothing, the msDS-ResultantPSO is returned. I tested against WS2012R2. The > code is identical from Vista (WS2008) till Ws2012R2. I have not checked > against WS2016 yet. > > I have filed a bug against MS-ADTS to fix this issue. > > > Regards, > Obaid Farooqi > Escalation Engineer | Microsoft > > Exceeding your expectations is my highest priority. If you would like > to provide feedback on your case you may contact my manager at > ramagane at Microsoft dot com > > -----Original Message----- > From: Tim Beale <timbe...@catalyst.net.nz> > Sent: Monday, April 9, 2018 12:12 AM > To: Obaid Farooqi <oba...@microsoft.com> > Cc: cifs-protocol@lists.samba.org; MSSolve Case Email > <casem...@microsoft.com> > Subject: Re: [REG:118040517948537] MS-ADTS: msDS-ResultantPSO and > DOMAIN_USER_RID_KRBTGT discrepancy > > Hi Obaid, > > You can reproduce the problem by doing the following: > > - Create a new msDS-PasswordSettings object. E.g. > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblogs > .technet.microsoft.com%2Fcanitpro%2F2013%2F05%2F29%2Fstep-by-step-enab > ling-and-using-fine-grained-password-policies-in-ad%2F&data=02%7C01%7C > obaidf%40microsoft.com%7C9e0e2771473540762c9508d59dd85fb4%7C72f988bf86 > f141af91ab2d7cd011db47%7C1%7C0%7C636588475007318631&sdata=iztmo%2BfkcS > ggbJe%2FxTDmIA4ZW75noVaDRW%2FfRbvxA4k%3D&reserved=0 > or a more out-dated approach using ADSI Edit (which I think I used > originally) > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblogs > .technet.microsoft.com%2Fseanearp%2F2007%2F10%2F06%2Fwindows-server-20 > 08-fine-grained-password-policy-walkthrough%2F&data=02%7C01%7Cobaidf%4 > 0microsoft.com%7C9e0e2771473540762c9508d59dd85fb4%7C72f988bf86f141af91 > ab2d7cd011db47%7C1%7C0%7C636588475007318631&sdata=3%2FkmbCFEDopECsTsyK > vtgV%2FtRNX9UBru7G5QJqbJ57c%3D&reserved=0 > - Apply the PSO to the krbtgt user. I did this by opening ADSI Edit, > right-clicking on the PSO created in the previous step, select > 'Properties', then edit the msDS-PSOAppliesTo attribute. I used the > 'Add DN' option and just pasted in the DN of the krbtgt user (then > click 'OK', and 'Apply'). > - Check the Resultant PSO. i.e. In ADSI Edit, right-click on the > krbtgt user, select 'Properties', then look for the msDS-ResultantPSO > attribute. > > I've actually been testing this as part of Samba development by using > a python test script that connects to the Windows DC over LDAP and > does the above steps as LDIF operations. So you can probably reproduce > the first 2 steps just by applying an LDIF (tentative example follows, > but I haven't tried using exactly this approach myself). > > dn: CN=test-PSO,CN=Password Settings > Container,CN=System,DC=<your-domain> > changetype: add > objectClass: msDS-PasswordSettings > msDS-PasswordSettingsPrecedence: 2 > msDS-PasswordReversibleEncryptionEnabled: FALSE > msDS-PasswordHistoryLength: 10 > msDS-PasswordComplexityEnabled: TRUE > msDS-MinimumPasswordLength: 10 > msDS-MinimumPasswordAge: 0 > msDS-MaximumPasswordAge: -25920000000000 > msDS-LockoutThreshold: 0 > msDS-LockoutObservationWindow: -50000000 > msDS-LockoutDuration: -50000000 > msDS-PSOAppliesTo: CN=krbtgt,CN=Users,DC=<your-domain> > > Cheers, > Tim > > On 07/04/18 08:27, Obaid Farooqi wrote: >> Hi Tim: >> Can you please let me know the step you took to add this object and applied >> to krbtgt? >> >> Regards, >> Obaid Farooqi >> Escalation Engineer | Microsoft >> >> Exceeding your expectations is my highest priority. If you would >> like to provide feedback on your case you may contact my manager at >> ramagane at Microsoft dot com >> >> -----Original Message----- >> From: Obaid Farooqi >> Sent: Friday, April 6, 2018 12:48 PM >> To: 'Tim Beale' <timbe...@catalyst.net.nz> >> Cc: cifs-protocol@lists.samba.org; MSSolve Case Email >> <casem...@microsoft.com> >> Subject: RE: [REG:118040517948537] MS-ADTS: msDS-ResultantPSO and >> DOMAIN_USER_RID_KRBTGT discrepancy >> >> Hi Tim: >> I'll help you with this issue and will be in touch as soon as I have an >> answer. >> >> Regards, >> Obaid Farooqi >> Escalation Engineer | Microsoft >> >> Exceeding your expectations is my highest priority. If you would >> like to provide feedback on your case you may contact my manager at >> ramagane at Microsoft dot com >> >> -----Original Message----- >> From: Obaid Farooqi >> Sent: Friday, April 6, 2018 12:47 PM >> To: "'Tim Beale'" <timbe...@catalyst.net.nz> >> Cc: "cifs-protocol@lists.samba.org" <cifs-protocol@lists.samba.org>; >> "MSSolve Case Email" <casem...@microsoft.com> >> Subject: [REG:118040517948537] MS-ADTS: msDS-ResultantPSO and >> DOMAIN_USER_RID_KRBTGT discrepancy >> >> Hello Tim >> >> We have created a case; 118040517948537, to track your inquiry and an >> Escalation Engineer will contact you to assist further. >> >> Best Regards, >> Tarun Chopra | Sr. Escalation Engineer Open Specifications Support >> Team Work +1-425-705-5042 Email tarun.cho...@microsoft.com >> Monday-Friday 9:00a-6:00p Pacific Timezone >> >> -----Original Message----- >> From: Tim Beale <timbe...@catalyst.net.nz> >> Sent: Thursday, April 5, 2018 2:00 PM >> To: Interoperability Documentation Help <doch...@microsoft.com>; >> cifs-protocol@lists.samba.org >> Subject: MS-ADTS: msDS-ResultantPSO and DOMAIN_USER_RID_KRBTGT >> discrepancy >> >> Hi, >> >> I'm looking into the behaviour of msDS-ResultantPSO and found a discrepancy >> between the specification and the actual behaviour. >> >> In MS-ADTS, section 3.1.1.4.5.36 msDS-ResultantPSO [1], it says the >> following: >> >> If the RID in U!objectSid is equal to DOMAIN_USER_RID_KRBTGT, then there >> is no value in this attribute. >> >> I tried adding a PSO object and applying it to the krbtgt user on a Windows >> 2012R2 VM. Based on the spec, I would expect no msDS-ResultantPSO to be >> returned for the krbtgt user. However, I do see one returned, e.g. >> >> # record 1 >> dn: >> CN=krbtgt,CN=Users,DC=WINDOWS2012R2,DC=WIN,DC=TIM,DC=WGTN,DC=CAT-IT,D >> C= >> CO,DC=NZ >> objectSid: S-1-5-21-886655096-618523297-2770022155-502 >> msDS-ResultantPSO: CN=dummy-PSO,CN=Password Settings >> Container,CN=System,DC=WINDOWS2012R2,DC=WIN,DC=TIM,DC=WGTN,DC=CAT-IT, >> DC= >> CO,DC=NZ >> >> You can see the RID in the objectSid is 502, which is >> DOMAIN_USER_RID_KRBTGT. >> >> Could you please clarify which is incorrect - the specification or the >> Windows behaviour? Or have I misunderstood something? >> >> Thanks, >> Tim >> >> [1] >> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn >> .mi >> crosoft.com%2Fen-us%2Flibrary%2Fcc223866.aspx&data=02%7C01%7Cdochelp% >> 40w >> indows.microsoft.com%7Ce172420a92714a01130f08d59b383228%7C72f988bf86f >> 141 >> af91ab2d7cd011db47%7C1%7C0%7C636585588018722990&sdata=KdE0SNnF0Xy3GBj >> np8 >> UKzXt4GB9xQ2j0fFKuUZaD9JI%3D&reserved=0 >> >> _______________________________________________ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
