LSA and trusted domains
|
View:
New views
14 Messages
—
Rating Filter:
Alert me
|
 |
LSA and trusted domains
by Andrew Bartlett
::
Rate this Message:
MS-LSAD and MS-ADTS discuss trusted domains, but no-where is there a
good protocol overview, showing the actions and impacts from the top down. I had thought I would just work on the details, and look at network traces for the high level, but in retorpsect this was a poor approach. Could you please provide an overview of this area? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. _______________________________________________ cifs-protocol mailing list cifs-protocol@... https://lists.samba.org/mailman/listinfo/cifs-protocol |
|
|
RE: LSA and trusted domains
by Bill Wesse
::
Rate this Message:
|
|
|
RE: LSA and trusted domains
by Bill Wesse
::
Rate this Message:
|
|
|
New case: SRX080910600015: [MS-ADA3]: 2.44 Elaborate on objectSid definition
by Bill Wesse
::
Rate this Message:
|
|
|
Re: New case: SRX080910600015: [MS-ADA3]: 2.44 Elaborate on objectSid definition
by Andrew Bartlett
::
Rate this Message:
On Wed, 2008-09-10 at 03:34 -0700, Bill Wesse wrote:
> Good morning Andrew. I have created the new case as noted in the > Subject line. I expect you will be happy to know that we are > initiating a strong recommendation that the objectSid definition in > [MS-ADA3] be modified as shown below. Thank you for your persistence > on this topic. No worries. > I will keep you advised of progress! > > > Change: > > 2.44 Attribute objectSid > This attribute specifies a binary value that specifies the security > identifier (SID) of the user. The SID is a unique value used to > identify the user as a security principal. For more information on the > SID data type, refer to [MS-DTYP] section 2.4.2. SID usage is also > discussed in [MS-ADTS], in particular in section 3.1.1.1.3. > > To: > > 2.44 Attribute objectSid > This attribute specifies a variable-length byte array value that > specifies the security identifier (SID) of the user. For more > information on the SID data type, refer to [MS-DTYP] section 2.4.2. It > also may be represented as a UTF-8 string that is a valid SDDL SID > string beginning with "S-" (see [MS-DTYP] sections 2.4.2 and 2.5.1, > and [MS-ADTS] 3.1.1.3.1.2.5). The SID is a unique value used to > identify the user as a security principal. SID usage is also discussed > in [MS-ADTS], in particular in section 3.1.1.1.3. call that we were at a stalemate, so I'm particularly glad to see this (potentially) moving forward. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. _______________________________________________ cifs-protocol mailing list cifs-protocol@... https://lists.samba.org/mailman/listinfo/cifs-protocol |
|
|
RE: LSA and trusted domains
by Bill Wesse
::
Rate this Message:
Good morning Andrew. I have attached a PDF document that describes creating an outbound trust account from 'DC.DOMAIN1.COM' to a domain to be trusted by this domain on 'DC.DOMAIN1.COM' only, without verification. Both domain controllers are Windows Server 2008, and both domains are at Windows Server 2008 domain/forest functional level.
The document is a sample, of course, and is not complete by any means; but it does break down the indicated transaction in detail (and includes some basic normative and informative references). I would like your input concerning whether or not this is the type and level of information you are looking for concerning an overview of domain trust overview / high-level description. I want to make sure we thoroughly understand the specific details you are asking about. Thank you in advance for your time. Regards, Bill Wesse MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 _______________________________________________ cifs-protocol mailing list cifs-protocol@... https://lists.samba.org/mailman/listinfo/cifs-protocol |
|
|
RE: New case: SRX080910600015: [MS-ADA3]: 2.44 Elaborate on objectSid definition
by Bill Wesse
::
Rate this Message:
|
|
|
RE: New case: SRX080910600015: [MS-ADA3]: 2.44 Elaborate on objectSid definition
by Andrew Bartlett
::
Rate this Message:
On Wed, 2008-09-24 at 08:46 -0700, Bill Wesse wrote:
> Good morning Andrew. > > Per your inquiry concerning elaboration on the objectSid definition, I > am sending you copy of an update to the documentation as shown below > (the second paragraph is new content). Yay! I like it :-) Thanks for your persistence. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com _______________________________________________ cifs-protocol mailing list cifs-protocol@... https://lists.samba.org/mailman/listinfo/cifs-protocol |
|
|
RE: New case: SRX080910600015: [MS-ADA3]: 2.44 Elaborate on objectSid definition
by Bill Wesse
::
Rate this Message:
|
|
|
RE: LSA and trusted domains
by Andrew Bartlett
::
Rate this Message:
On Thu, 2008-09-11 at 09:00 -0700, Bill Wesse wrote:
> Good morning Andrew. I have attached a PDF document that describes > creating an outbound trust account from 'DC.DOMAIN1.COM' to a domain > to be trusted by this domain on 'DC.DOMAIN1.COM' only, without > verification. Both domain controllers are Windows Server 2008, and > both domains are at Windows Server 2008 domain/forest functional > level. > > The document is a sample, of course, and is not complete by any means; > but it does break down the indicated transaction in detail (and > includes some basic normative and informative references). > > I would like your input concerning whether or not this is the type and > level of information you are looking for concerning an overview of > domain trust overview / high-level description. > > I want to make sure we thoroughly understand the specific details you > are asking about. setting up an SMB session to set up an RPC pipe as the details about the CreateTrustedDomain call, and the pre-requisites to those calls. Andrew Bartlet -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. _______________________________________________ cifs-protocol mailing list cifs-protocol@... https://lists.samba.org/mailman/listinfo/cifs-protocol |
|
|
RE: LSA and trusted domains
by Bill Wesse
::
Rate this Message:
Good morning again Andrew - here is a much more complete version of the document. It is still rough around the edges, and we have not yet determined the ultimate disposition of it. We may use parts of it for forthcoming documents, or keep it as a separate scenario document.
Please note all traffic and detail is against Windows 2008 servers only. I will await your evaluation of the contents! Regards, Bill Wesse MCSE, MCTS / Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 -----Original Message----- From: Andrew Bartlett [mailto:abartlet@...] Sent: Friday, October 10, 2008 1:54 AM To: Bill Wesse Cc: Interoperability Documentation Help; pfif@...; cifs-protocol@... Subject: RE: LSA and trusted domains On Thu, 2008-09-11 at 09:00 -0700, Bill Wesse wrote: > Good morning Andrew. I have attached a PDF document that describes > creating an outbound trust account from 'DC.DOMAIN1.COM' to a domain > to be trusted by this domain on 'DC.DOMAIN1.COM' only, without > verification. Both domain controllers are Windows Server 2008, and > both domains are at Windows Server 2008 domain/forest functional > level. > > The document is a sample, of course, and is not complete by any means; > but it does break down the indicated transaction in detail (and > includes some basic normative and informative references). > > I would like your input concerning whether or not this is the type and > level of information you are looking for concerning an overview of > domain trust overview / high-level description. > > I want to make sure we thoroughly understand the specific details you > are asking about. Andrew Bartlet -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. _______________________________________________ cifs-protocol mailing list cifs-protocol@... https://lists.samba.org/mailman/listinfo/cifs-protocol |
|
|
RE: LSA and trusted domains overview (SRX080902600070)
by Bill Wesse
::
Rate this Message:
Good morning again Andrew. I have (once again) attached the latest copy of the document. This document will not be part of the protocol documentation set.
Aside from the unencrypted versions of the network frames in the document (which I will get to as soon as I can), I would like to know if I have answered all of your questions - and where I may have missed the target. Regards, Bill Wesse MCSE, MCTS / Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 -----Original Message----- From: Bill Wesse Sent: Wednesday, October 15, 2008 12:04 PM To: 'Andrew Bartlett' Cc: pfif@...; cifs-protocol@... Subject: RE: LSA and trusted domains Good morning again Andrew - here is a much more complete version of the document. It is still rough around the edges, and we have not yet determined the ultimate disposition of it. We may use parts of it for forthcoming documents, or keep it as a separate scenario document. Please note all traffic and detail is against Windows 2008 servers only. I will await your evaluation of the contents! Regards, Bill Wesse MCSE, MCTS / Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 -----Original Message----- From: Andrew Bartlett [mailto:abartlet@...] Sent: Friday, October 10, 2008 1:54 AM To: Bill Wesse Cc: Interoperability Documentation Help; pfif@...; cifs-protocol@... Subject: RE: LSA and trusted domains On Thu, 2008-09-11 at 09:00 -0700, Bill Wesse wrote: > Good morning Andrew. I have attached a PDF document that describes > creating an outbound trust account from 'DC.DOMAIN1.COM' to a domain > to be trusted by this domain on 'DC.DOMAIN1.COM' only, without > verification. Both domain controllers are Windows Server 2008, and > both domains are at Windows Server 2008 domain/forest functional > level. > > The document is a sample, of course, and is not complete by any means; > but it does break down the indicated transaction in detail (and > includes some basic normative and informative references). > > I would like your input concerning whether or not this is the type and > level of information you are looking for concerning an overview of > domain trust overview / high-level description. > > I want to make sure we thoroughly understand the specific details you > are asking about. Andrew Bartlet -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. _______________________________________________ cifs-protocol mailing list cifs-protocol@... https://lists.samba.org/mailman/listinfo/cifs-protocol |
|
|
RE: LSA and trusted domains overview (SRX080902600070)
by Andrew Bartlett
::
Rate this Message:
On Fri, 2008-11-07 at 09:05 -0800, Bill Wesse wrote:
> Good morning again Andrew. I have (once again) attached the latest > copy of the document. This document will not be part of the protocol > documentation set. > > Aside from the unencrypted versions of the network frames in the > document (which I will get to as soon as I can), I would like to know > if I have answered all of your questions - and where I may have missed > the target. Sadly, this is way off target. I meant it when I said it was a good start - this is the first chapter, not the complete reference. A trusted domain relationship exists to be used - I need to have a clear overview of how authentication and other information flows between trusted domains. Is DRS synchronisation used? How is it used and between what trust types? How does a domain know which other domain to contact about an attempted login with a user principal name? How are the transitive trust relationships followed to allow access to a resource in some far-away domain? When a user (from a trusted domain) is added to a security descriptor, how is that name resolved? What purpose does the global catalog take in trusted domain environments and how is it consulted when dealing with inter-forest trusts? These are just some of the questions I would expect an overview of trusted domains to show (with links to the explicit details of calls, but 200 pages of packet captures isn't a substitute for real detail). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. _______________________________________________ cifs-protocol mailing list cifs-protocol@... https://lists.samba.org/mailman/listinfo/cifs-protocol |
|
|
RE: LSA and trusted domains overview (SRX080902600070)
by Bill Wesse
::
Rate this Message:
|
signature.asc (196 bytes) 
| Free Forum Powered by Nabble | Forum Help |
