2.2.1.3.7 NL_TRUST_PASSWORD

The NL_TRUST_PASSWORD structure defines a buffer for carrying a computer account password, or a trust password, to be transmitted over the wire. It SHOULD<23> be transported as an input parameter to the NetrServerPasswordSet2 method, as specified in section 3.5.4.4.6. Domain members use NetrServerPasswordSet2 to change their computer account password. The primary domain controller uses NetrServerPasswordSet2 to change trust passwords for all directly trusted domains. The NL_TRUST_PASSWORD structure is encrypted using the negotiated encryption algorithm before it is sent over the wire.<24>

 typedef struct _NL_TRUST_PASSWORD {
   WCHAR Buffer[256];
   ULONG Length;
 } NL_TRUST_PASSWORD,
  *PNL_TRUST_PASSWORD;

Buffer: Array of Unicode characters that is treated as a byte buffer containing the password, as follows:

  • For a computer account password, the buffer has the following format:

Computer account password buffer format

Figure 4: Computer account password buffer format

The first (512 – Length) bytes MUST be randomly generated data that serves as an additional source of entropy during encryption. The last Length bytes of the buffer MUST contain the clear text password.

  • For a domain trust password, the buffer has the following format:

Domain trust password buffer format

Figure 5: Domain trust password buffer format

The last Length bytes of the buffer contain the clear text password. The 12 bytes preceding the password are filled with the password version information as defined below. The rest of the buffer is filled with randomly generated data.

  • The PasswordVersion part of the preceding diagram has the following format:

Password version buffer format

Figure 6: Password version buffer format

Where ReservedField, PasswordVersionNumber, and PasswordVersionPresent are the fields of the NL_PASSWORD_VERSION structure, as specified in section 2.2.1.3.8. The PasswordVersionPresent field is used to indicate whether the buffer contains a computer account password or a trust password: If the value of the PasswordVersionPresent field is 0x02231968, then the buffer contains a trust password; otherwise the buffer contains a computer account password.

Length: The length of the password, in bytes.