Hi, Andrew, >Is the element stored 'as sent', or is it processed to add a version field?
ANS: After code review, I confirmed that AuthenticationInformation is decrypted into LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION (as specified in 2.2.7.11), then is just copied straightforwardly into the TrustAuthIncoming and TrustAuthOutgoing properties as specified 7.1.6.9.1 MS-ADTS. As you know, the LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION is a structure and TrustAuthIncoming and TrustAuthOutgoing properties are String(Octet), there are certainly some calculation for offsets required as per the layout of the properties, but there is no new field added when marshaling the structure to the octet string saved in the properties. >Can the client send the previousAuthentication details, or is that maintained >by the server? ANS: Yes, the client can send the previousAuthentication for both incoming and outgoing AuthticationInformation through LsarCreateTrustedDomainEx2. If it is send, the server will save it to the previousAuthenticationInformation part of the property (7.1.6.9.1 MS-ADTS). If it is not send, the previousAuthenticationInformation in the property will be the same as current AuthenticationInformation since this is a new TDO created and there is no previous information available. >In LsarSetInformationTrustedDomain >http://msdn.microsoft.com/en-us/library/cc234385%28v=PROT.13%29.aspx >Does the client or the server maintain the previous password and version >information in the blob in the "trustAuthIncoming"? ANS: The server will be responsible for updating the previous authentication information in "TrustAuthIncoming" property. When server receives this call, it will first query the information about the trusted domain object (TDO) identified by the TrustedDomainHandle passed into LsarSetInformationTrustedDomain. Then the server will save the returned trusted domain information as previousAuthentication and the passed authenticationInformation as new AuthticationInformation in TrustAuthIncoming property. Please let me know if you have more questions. Thanks! Hongwei -----Original Message----- From: Andrew Bartlett [mailto:abart...@samba.org] Sent: Tuesday, August 30, 2011 7:54 AM To: Interoperability Documentation Help Cc: cifs-protocol@cifs.org Subject: Handling of passwords in LSA CreateTrustedDomainInfoEx2 In CreateTrustedDomainInfoEx2 http://msdn.microsoft.com/en-us/library/cc234380%28v=PROT.13%29.aspx I'm wondering if I could get an expansion on: AuthenticationInformation: A structure containing authentication information for the trusted domain. The server first MUST decrypt this data structure using an algorithm (as specified in section 5.1.1) with the key being the session key negotiated by the transport. The server then MUST unmarshal the data inside this structure and then store it into a structure whose format is specified in section 2.2.7.11. This structure MUST then be stored on Trust Incoming and Outgoing Password properties. In particular, what elements become assigned to "trustAuthIncoming" and "trustAuthOutgoing" Is the element stored 'as sent', or is it processed to add a version field? Can the client send the previousAuthentication details, or is that maintained by the server? In LsarSetInformationTrustedDomain http://msdn.microsoft.com/en-us/library/cc234385%28v=PROT.13%29.aspx Does the client or the server maintain the previous password and version information in the blob in the "trustAuthIncoming"? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org _______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
