The documentation in MS-KILE 3.4.5.1 on DCE_STYLE is very terse, and fails to clarify a few points, one of which is preventing interoperability with Windows Vista.
The client MUST generate an additional AP reply message exactly as the server would ([RFC4120] section 3.2.4) as the final message to send to the server. In GSS terms, the client must return success and a message to the server. It is up to the application to deliver the message to the server. The server MUST receive the additional AP reply message and verify that the message is constructed correctly ([RFC4120] section 3.2.5). What is unclear here is how the sequence numbers, exchanged in this message, are expected to be updated. For example, with a WinXP clients, and arcfour-hmac-md5 encryption, the sequence number (as maintained by the client, and seen on the server) is unaffected by the receipt of this extra message. In Heimdal's implementation here, we reset the sequence numbers after verifying the AP_REP at line 690. http://git.samba.org/?p=samba.git;a=blob;f=source/heimdal/lib/gssapi/krb5/accept_sec_context.c;h=73b93ceba4c6bb472c546afd52981bcf13051173;hb=v4-0-test However, when GSSAPI CFX is used, and therefore an AES key is negotiated by a Windows Vista client to a Samba4 server, the client seems to require that the remote (from the server's persective) sequence number be increased by 1. (ie, adding 1 to r_seq_number at like 690 allows the next gss_unwrap to match the expected sequence number correctly, in the DRSUAPI bind portion of a Vista SP1 domain join). Simiarly, you will note in line 606, that we must disable timestamp verification. While the client code (like 663) is comparatively sane... http://git.samba.org/?p=samba.git;a=blob;f=source/heimdal/lib/gssapi/krb5/init_sec_context.c;h=c455a5dc8b7246c0c8e795206be5b9c3db114cb8;hb=v4-0-test It seems that this is more than a simple role reversal, and the docs need to be expanded to clarify this. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
